Merge branch 'release-21.05' into staging-21.05

doc/languages-frameworks/beam.section.md

@@ -8,9 +8,9 @@ In this document and related Nix expressions, we use the term, _BEAM_, to descri
 
 All BEAM-related expressions are available via the top-level `beam` attribute, which includes:
 
-- `interpreters`: a set of compilers running on the BEAM, including multiple Erlang/OTP versions (`beam.interpreters.erlangR19`, etc), Elixir (`beam.interpreters.elixir`) and LFE (Lisp Flavoured Erlang) (`beam.interpreters.lfe`).
+- `interpreters`: a set of compilers running on the BEAM, including multiple Erlang/OTP versions (`beam.interpreters.erlangR22`, etc), Elixir (`beam.interpreters.elixir`) and LFE (Lisp Flavoured Erlang) (`beam.interpreters.lfe`).
 
-- `packages`: a set of package builders (Mix and rebar3), each compiled with a specific Erlang/OTP version, e.g. `beam.packages.erlangR19`.
+- `packages`: a set of package builders (Mix and rebar3), each compiled with a specific Erlang/OTP version, e.g. `beam.packages.erlang22`.
 
 The default Erlang compiler, defined by `beam.interpreters.erlang`, is aliased as `erlang`. The default BEAM package set is defined by `beam.packages.erlang` and aliased at the top level as `beamPackages`.
 

maintainers/maintainer-list.nix

@@ -6587,6 +6587,16 @@
     githubId = 1387206;
     name = "Mike Sperber";
   };
+  mikroskeem = {
+    email = "mikroskeem@mikroskeem.eu";
+    github = "mikroskeem";
+    githubId = 3490861;
+    name = "Mark Vainomaa";
+    keys = [{
+      longkeyid = "rsa4096/0xDA015B05B5A11B22";
+      fingerprint = "DB43 2895 CF68 F0CE D4B7  EF60 DA01 5B05 B5A1 1B22";
+    }];
+  };
   milesbreslin = {
     email = "milesbreslin@gmail.com";
     github = "milesbreslin";

nixos/doc/manual/development/writing-nixos-tests.xml

@@ -436,6 +436,18 @@ machine.systemctl("list-jobs --no-pager", "any-user") # spawns a shell for `any-
      </para>
     </listitem>
    </varlistentry>
+   <varlistentry>
+    <term>
+     <methodname>shell_interact</methodname>
+    </term>
+    <listitem>
+     <para>
+      Allows you to directly interact with the guest shell.
+      This should only be used during test development, not in production tests.
+      Killing the interactive session with <literal>Ctrl-d</literal> or <literal>Ctrl-c</literal> also ends the guest session.
+     </para>
+    </listitem>
+   </varlistentry>
   </variablelist>
  </para>
 

nixos/doc/manual/installation/upgrading.xml

@@ -14,7 +14,7 @@
     <para>
      <emphasis>Stable channels</emphasis>, such as
      <literal
-    xlink:href="https://nixos.org/channels/nixos-20.09">nixos-20.09</literal>.
+    xlink:href="https://nixos.org/channels/nixos-21.05">nixos-21.05</literal>.
      These only get conservative bug fixes and package upgrades. For instance,
      a channel update may cause the Linux kernel on your system to be upgraded
      from 4.19.34 to 4.19.38 (a minor bug fix), but not from
@@ -38,7 +38,7 @@
     <para>
      <emphasis>Small channels</emphasis>, such as
      <literal
-    xlink:href="https://nixos.org/channels/nixos-20.09-small">nixos-20.09-small</literal>
+    xlink:href="https://nixos.org/channels/nixos-21.05-small">nixos-21.05-small</literal>
      or
      <literal
     xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>.
@@ -63,8 +63,8 @@
  <para>
   When you first install NixOS, you’re automatically subscribed to the NixOS
   channel that corresponds to your installation source. For instance, if you
-  installed from a 20.09 ISO, you will be subscribed to the
+  installed from a 21.05 ISO, you will be subscribed to the
-  <literal>nixos-20.09</literal> channel. To see which NixOS channel you’re
+  <literal>nixos-21.05</literal> channel. To see which NixOS channel you’re
   subscribed to, run the following as root:
 <screen>
 <prompt># </prompt>nix-channel --list | grep nixos
@@ -75,13 +75,13 @@ nixos https://nixos.org/channels/nixos-unstable
 <prompt># </prompt>nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
 </screen>
   (Be sure to include the <literal>nixos</literal> parameter at the end.) For
-  instance, to use the NixOS 20.09 stable channel:
+  instance, to use the NixOS 21.05 stable channel:
 <screen>
-<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-20.09 nixos
+<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-21.05 nixos
 </screen>
   If you have a server, you may want to use the “small” channel instead:
 <screen>
-<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-20.09-small nixos
+<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-21.05-small nixos
 </screen>
   And if you want to live on the bleeding edge:
 <screen>
@@ -132,7 +132,7 @@ nixos https://nixos.org/channels/nixos-unstable
    kernel, initrd or kernel modules.
    You can also specify a channel explicitly, e.g.
 <programlisting>
-<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-20.09;
+<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-21.05;
 </programlisting>
   </para>
  </section>

nixos/doc/manual/release-notes/rl-2105.xml

@@ -3,8 +3,11 @@
          xmlns:xi="http://www.w3.org/2001/XInclude"
          version="5.0"
          xml:id="sec-release-21.05">
- <title>Release 21.05 (“Okapi”, 2021.05/??)</title>
+ <title>Release 21.05 (“Okapi”, 2021.05/31)</title>
 
+ <para>
+  Support is planned until the end of December 2021, handing over to 21.11.
+ </para>
  <section xmlns="http://docbook.org/ns/docbook"
          xmlns:xlink="http://www.w3.org/1999/xlink"
          xmlns:xi="http://www.w3.org/2001/XInclude"
@@ -18,114 +21,81 @@
   </para>
 
   <itemizedlist>
+
    <listitem>
     <para>
-     Support is planned until the end of December 2021, handing over to 21.11.
+     Core version changes:
     </para>
-   </listitem>
+    <itemizedlist>
-   <listitem>
-    <para>The default Linux kernel was updated to the 5.10 LTS series, coming from the 5.4 LTS series.</para>
-    <para>The <package>linux_latest</package> kernel was updated to the 5.12 series. It currently is not officially supported for use with the zfs filesystem. If you use zfs, you should use a different kernel version (either the LTS kernel, or track a specific one). </para>
-   </listitem>
-   <listitem>
-    <para>GNOME desktop environment was upgraded to 40, see the release notes for <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">40.0</link> and <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">3.38</link>. The <code>gnome3</code> attribute set has been renamed to <code>gnome</code> and so have been the NixOS options.</para>
-   </listitem>
      <listitem>
       <para>
-     <link xlink:href="https://www.gnuradio.org/">GNURadio</link> 3.8 was
+       gcc: 9.3.0 -> 10.3.0
-     <link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finally</link>
-     packaged, along with a rewrite to the Nix expressions, allowing users to
-     override the features upstream supports selecting to compile or not to.
-     Additionally, the attribute <code>gnuradio</code> and <code>gnuradio3_7</code>
-     now point to an externally wrapped by default derivations, that allow you to
-     also add `extraPythonPackages` to the Python interpreter used by GNURadio.
-     Missing environmental variables needed for operational GUI were also added
-     (<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#75478</link>).
       </para>
      </listitem>
      <listitem>
       <para>
-     <link xlink:href="https://www.gnuradio.org/">GNURadio</link> has a
+       glibc: 2.30 -> 2.32
-     <code>pkgs</code> attribute set, and there's a <code>gnuradio.callPackage</code>
-     function that extends <code>pkgs</code> with a <code>mkDerivation</code>, and a
-     <code>mkDerivationWith</code>, like Qt5. Now all <code>gnuradio.pkgs</code> are
-     defined with <code>gnuradio.callPackage</code> and some packages that depend
-     on gnuradio are defined with this as well.
       </para>
      </listitem>
      <listitem>
       <para>
-     <link xlink:href="https://www.privoxy.org/">Privoxy</link> has been updated
+        default linux: 5.4 -> 5.10, all supported kernels available
-     to version 3.0.32 (See <link xlink:href="https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html">announcement</link>).
-     Compared to the previous release, Privoxy has gained support for HTTPS
-     inspection (still experimental), Brotli decompression, several new filters
-     and lots of bug fixes, including security ones. In addition, the package
-     is now built with compression and external filters support, which were
-     previously disabled.
-    </para>
-    <para>
-     Regarding the NixOS module, new options for HTTPS inspection have been added
-     and <option>services.privoxy.extraConfig</option> has been replaced by the new
-     <xref linkend="opt-services.privoxy.settings"/>
-     (See <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC 0042</link>
-     for the motivation).
       </para>
      </listitem>
+     <listitem>
+      <para>
+        mesa: 20.1.7 -> 21.0.1
+      </para>
+     </listitem>
+    </itemizedlist>
+   </listitem>
+   <listitem>
+    <para>
+     Desktop Environments:
+    </para>
+    <itemizedlist>
+     <listitem>
+      <para>
+        GNOME: 3.36 -> 40, see its <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">release notes</link>
+      </para>
+     </listitem>
+     <listitem>
+      <para>
+        Plasma5: 5.18.5 -> 5.21.3
+      </para>
+     </listitem>
+     <listitem>
+      <para>
+        kdeApplications: 20.08.1 -> 20.12.3
+      </para>
+     </listitem>
+      <listitem>
+       <para>
+         cinnamon: 4.6 -> 4.8.1
+      </para>
+     </listitem>
+    </itemizedlist>
+   </listitem>
+
+   <listitem>
+    <para>
+     Programming Languages and Frameworks:
+    </para>
+    <itemizedlist>
+
      <listitem>
       <para>
        Python optimizations were disabled again. Builds with optimizations enabled
        are not reproducible. Optimizations can now be enabled with an option.
       </para>
      </listitem>
-   <listitem>
+
-    <para>
+    </itemizedlist>
-     <link xlink:href="https://kodi.tv/">Kodi</link> has been updated to version 19.1 "Matrix". See
-     the <link xlink:href="https://kodi.tv/article/kodi-190-matrix-release">announcement</link> for
-     further details.
-    </para>
    </listitem>
    <listitem>
-    <para>
+    <para>The <package>linux_latest</package> kernel was updated to the 5.12 series. It currently is not officially supported for use with the zfs filesystem. If you use zfs, you should use a different kernel version (either the LTS kernel, or track a specific one). </para>
-     The <option>services.packagekit.backend</option> option has been removed as
-     it only supported a single setting which would always be the default.
-     Instead new <link
-     xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
-     0042</link> compliant <xref linkend="opt-services.packagekit.settings"/>
-     and <xref linkend="opt-services.packagekit.vendorSettings"/> options have
-     been introduced.
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-      <link xlink:href="https://nginx.org">Nginx</link> has been updated to stable version 1.20.0.
-      Now nginx uses the zlib-ng library by default.
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-     KDE Gear (formerly KDE Applications) is upgraded to 21.04, see its
-     <link xlink:href="https://kde.org/announcements/gear/21.04/">release
-     notes</link> for details.
-    </para>
-    <para>
-     The <code>kdeApplications</code> package set is now <code>kdeGear</code>,
-     in keeping with the new name. The old name remains for compatibility, but
-     it is deprecated.
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-     <link xlink:href="https://libreswan.org/">Libreswan</link> has been updated
-     to version 4.4. The package now includes example configurations and manual
-     pages by default. The NixOS module has been changed to use the upstream
-     systemd units and write the configuration in the <literal>/etc/ipsec.d/
-     </literal> directory. In addition, two new options have been added to
-     specify connection policies
-     (<xref linkend="opt-services.libreswan.policies"/>)
-     and disable send/receive redirects
-     (<xref linkend="opt-services.libreswan.disableRedirects"/>).
-    </para>
    </listitem>
+
   </itemizedlist>
  </section>
 
@@ -141,6 +111,20 @@
   </para>
 
   <itemizedlist>
+   <listitem>
+    <para>
+     <link xlink:href="https://www.gnuradio.org/">GNURadio</link> 3.8 was
+     <link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finally</link>
+     packaged, along with a rewrite to the Nix expressions, allowing users to
+     override the features upstream supports selecting to compile or not to.
+     Additionally, the attribute <code>gnuradio</code> and <code>gnuradio3_7</code>
+     now point to an externally wrapped by default derivations, that allow you to
+     also add `extraPythonPackages` to the Python interpreter used by GNURadio.
+     Missing environmental variables needed for operational GUI were also added
+     (<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#75478</link>).
+    </para>
+   </listitem>
+
    <listitem>
      <para>
        <link xlink:href="https://www.keycloak.org/">Keycloak</link>,
@@ -193,6 +177,10 @@
   </para>
 
   <itemizedlist>
+   <listitem>
+    <para>GNOME desktop environment was upgraded to 40, see the release notes for <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">40.0</link> and <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">3.38</link>. The <code>gnome3</code> attribute set has been renamed to <code>gnome</code> and so have been the NixOS options.</para>
+   </listitem>
+
    <listitem>
     <para>
      If you are using <option>services.udev.extraRules</option> to assign
@@ -795,6 +783,16 @@ environment.systemPackages = [
      the deprecated <option>services.radicale.config</option> is used.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     In the <option>security.acme</option> module, use of <literal>--reuse-key</literal>
+     parameter for Lego has been removed. It was introduced for HKPK, but this security
+     feature is now deprecated. It is a better security practice to rotate key pairs
+     instead of always keeping the same. If you need to keep this parameter, you can add
+     it back using <literal>extraLegoRenewFlags</literal> as an option for the
+     appropriate certificate.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
@@ -814,6 +812,85 @@ environment.systemPackages = [
      for details.
     </para>
    </listitem>
+
+   <listitem>
+    <para>
+     <link xlink:href="https://www.gnuradio.org/">GNURadio</link> has a
+     <code>pkgs</code> attribute set, and there's a <code>gnuradio.callPackage</code>
+     function that extends <code>pkgs</code> with a <code>mkDerivation</code>, and a
+     <code>mkDerivationWith</code>, like Qt5. Now all <code>gnuradio.pkgs</code> are
+     defined with <code>gnuradio.callPackage</code> and some packages that depend
+     on gnuradio are defined with this as well.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <link xlink:href="https://www.privoxy.org/">Privoxy</link> has been updated
+     to version 3.0.32 (See <link xlink:href="https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html">announcement</link>).
+     Compared to the previous release, Privoxy has gained support for HTTPS
+     inspection (still experimental), Brotli decompression, several new filters
+     and lots of bug fixes, including security ones. In addition, the package
+     is now built with compression and external filters support, which were
+     previously disabled.
+    </para>
+    <para>
+     Regarding the NixOS module, new options for HTTPS inspection have been added
+     and <option>services.privoxy.extraConfig</option> has been replaced by the new
+     <xref linkend="opt-services.privoxy.settings"/>
+     (See <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC 0042</link>
+     for the motivation).
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <link xlink:href="https://kodi.tv/">Kodi</link> has been updated to version 19.1 "Matrix". See
+     the <link xlink:href="https://kodi.tv/article/kodi-190-matrix-release">announcement</link> for
+     further details.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <option>services.packagekit.backend</option> option has been removed as
+     it only supported a single setting which would always be the default.
+     Instead new <link
+     xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
+     0042</link> compliant <xref linkend="opt-services.packagekit.settings"/>
+     and <xref linkend="opt-services.packagekit.vendorSettings"/> options have
+     been introduced.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+      <link xlink:href="https://nginx.org">Nginx</link> has been updated to stable version 1.20.0.
+      Now nginx uses the zlib-ng library by default.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     KDE Gear (formerly KDE Applications) is upgraded to 21.04, see its
+     <link xlink:href="https://kde.org/announcements/gear/21.04/">release
+     notes</link> for details.
+    </para>
+    <para>
+     The <code>kdeApplications</code> package set is now <code>kdeGear</code>,
+     in keeping with the new name. The old name remains for compatibility, but
+     it is deprecated.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <link xlink:href="https://libreswan.org/">Libreswan</link> has been updated
+     to version 4.4. The package now includes example configurations and manual
+     pages by default. The NixOS module has been changed to use the upstream
+     systemd units and write the configuration in the <literal>/etc/ipsec.d/
+     </literal> directory. In addition, two new options have been added to
+     specify connection policies
+     (<xref linkend="opt-services.libreswan.policies"/>)
+     and disable send/receive redirects
+     (<xref linkend="opt-services.libreswan.disableRedirects"/>).
+    </para>
+   </listitem>
+
    <listitem>
     <para>
      The Mailman NixOS module (<literal>services.mailman</literal>) has a new
@@ -975,7 +1052,8 @@ environment.systemPackages = [
      PulseAudio was upgraded to 14.0, with changes to the handling of default sinks.
      See its <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release notes</link>.
     </para>
-
+   </listitem>
+   <listitem>
     <para>
      GNOME users may wish to delete their <literal>~/.config/pulse</literal> due to the changes to stream routing
      logic. See <link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio bug 832</link>
@@ -1166,6 +1244,14 @@ environment.systemPackages = [
      Nixpkgs now contains <link xlink:href="https://github.com/NixOS/nixpkgs/pull/118232">automatically packaged GNOME Shell extensions</link> from the <link xlink:href="https://extensions.gnome.org/">GNOME Extensions</link> portal. You can find them, filed by their UUID, under <literal>gnome38Extensions</literal> attribute for GNOME 3.38 and under <literal>gnome40Extensions</literal> for GNOME 40. Finally, the <literal>gnomeExtensions</literal> attribute contains extensions for the latest GNOME Shell version in Nixpkgs, listed under a more human-friendly name. The unqualified attribute scope also contains manually packaged extensions. Note that the automatically packaged extensions are provided for convenience and are not checked or guaranteed to work.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     Erlang/OTP versions older than R21 got dropped. We also dropped the cuter package, as it was purely an example of how to build a package.
+     We also dropped <literal>lfe_1_2</literal> as it could not build with R21+.
+     Moving forward, we expect to only support 3 yearly releases of OTP.
+    </para>
+   </listitem>
+
   </itemizedlist>
  </section>
 </section>

nixos/lib/test-driver/test-driver.py

@@ -21,6 +21,7 @@ import shutil
 import socket
 import subprocess
 import sys
+import telnetlib
 import tempfile
 import time
 import traceback
@@ -455,6 +456,16 @@ class Machine:
                 return (status_code, output)
             output += chunk
 
+    def shell_interact(self) -> None:
+        """Allows you to interact with the guest shell
+
+        Should only be used during test development, not in the production test."""
+        self.connect()
+        self.log("Terminal is ready (there is no prompt):")
+        telnet = telnetlib.Telnet()
+        telnet.sock = self.shell  # type: ignore
+        telnet.interact()
+
     def succeed(self, *commands: str) -> str:
         """Execute each command and check that it succeeds."""
         output = ""

nixos/modules/installer/cd-dvd/iso-image.nix

@@ -182,13 +182,29 @@ let
     # Menu configuration
     #
 
+    # Search using a "marker file"
+    search --set=root --file /EFI/nixos-installer-image
+
     insmod gfxterm
     insmod png
     set gfxpayload=keep
+    set gfxmode=${concatStringsSep "," [
+      # GRUB will use the first valid mode listed here.
+      # `auto` will sometimes choose the smallest valid mode it detects.
+      # So instead we'll list a lot of possibly valid modes :/
+      #"3840x2160"
+      #"2560x1440"
+      "1920x1080"
+      "1366x768"
+      "1280x720"
+      "1024x768"
+      "800x600"
+      "auto"
+    ]}
 
     # Fonts can be loaded?
     # (This font is assumed to always be provided as a fallback by NixOS)
-    if loadfont /EFI/boot/unicode.pf2; then
+    if loadfont (\$root)/EFI/boot/unicode.pf2; then
       set with_fonts=true
     fi
     if [ "\$textmode" != "true" -a "\$with_fonts" == "true" ]; then
@@ -212,11 +228,11 @@ let
     ${ # When there is a theme configured, use it, otherwise use the background image.
     if config.isoImage.grubTheme != null then ''
       # Sets theme.
-      set theme=/EFI/boot/grub-theme/theme.txt
+      set theme=(\$root)/EFI/boot/grub-theme/theme.txt
       # Load theme fonts
-      $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont /EFI/boot/grub-theme/%P\n")
+      $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont (\$root)/EFI/boot/grub-theme/%P\n")
     '' else ''
-      if background_image /EFI/boot/efi-background.png; then
+      if background_image (\$root)/EFI/boot/efi-background.png; then
         # Black background means transparent background when there
         # is a background image set... This seems undocumented :(
         set color_normal=black/black
@@ -239,6 +255,9 @@ let
   } ''
     mkdir -p $out/EFI/boot/
 
+    # Add a marker so GRUB can find the filesystem.
+    touch $out/EFI/nixos-installer-image
+
     # ALWAYS required modules.
     MODULES="fat iso9660 part_gpt part_msdos \
              normal boot linux configfile loopback chain halt \
@@ -294,12 +313,12 @@ let
     ${grubMenuCfg}
 
     hiddenentry 'Text mode' --hotkey 't' {
-      loadfont /EFI/boot/unicode.pf2
+      loadfont (\$root)/EFI/boot/unicode.pf2
       set textmode=true
       terminal_output gfxterm console
     }
     hiddenentry 'GUI mode' --hotkey 'g' {
-      $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont /EFI/boot/grub-theme/%P\n")
+      $(find ${config.isoImage.grubTheme} -iname '*.pf2' -printf "loadfont (\$root)/EFI/boot/grub-theme/%P\n")
       set textmode=false
       terminal_output gfxterm
     }
@@ -370,8 +389,10 @@ let
     ${lib.optionalString (refindBinary != null) ''
     # GRUB apparently cannot do "chainloader" operations on "CD".
     if [ "\$root" != "cd0" ]; then
+      # Force root to be the FAT partition
+      # Otherwise it breaks rEFInd's boot
+      search --set=root --no-floppy --fs-uuid 1234-5678
       menuentry 'rEFInd' --class refind {
-        # \$root defaults to the drive the EFI is found on.
         chainloader (\$root)/EFI/boot/${refindBinary}
       }
     fi
@@ -403,7 +424,9 @@ let
       mkdir ./boot
       cp -p "${config.boot.kernelPackages.kernel}/${config.system.boot.loader.kernelFile}" \
         "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}" ./boot/
-      touch --date=@0 ./EFI ./boot
+
+      # Rewrite dates for everything in the FS
+      find . -exec touch --date=2000-01-01 {} +
 
       usage_size=$(du -sb --apparent-size . | tr -cd '[:digit:]')
       # Make the image 110% as big as the files need to make up for FAT overhead

nixos/modules/module-list.nix

@@ -1111,6 +1111,7 @@
   ./virtualisation/openvswitch.nix
   ./virtualisation/parallels-guest.nix
   ./virtualisation/podman.nix
+  ./virtualisation/podman-network-socket-ghostunnel.nix
   ./virtualisation/qemu-guest-agent.nix
   ./virtualisation/railcar.nix
   ./virtualisation/spice-usb-redirection.nix

nixos/modules/security/acme.nix

@@ -152,7 +152,7 @@ let
     );
     renewOpts = escapeShellArgs (
       commonOpts
-      ++ [ "renew" "--reuse-key" ]
+      ++ [ "renew" ]
       ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRenewFlags
     );

nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix

@@ -35,13 +35,28 @@ in
         {
           <xref linkend="opt-services.prometheus.exporters.dovecot.enable" /> = true;
           <xref linkend="opt-services.prometheus.exporters.dovecot.socketPath" /> = "/var/run/dovecot2/old-stats";
+          <xref linkend="opt-services.dovecot2.mailPlugins.globally.enable" /> = [ "old_stats" ];
           <xref linkend="opt-services.dovecot2.extraConfig" /> = '''
-            mail_plugins = $mail_plugins old_stats
             service old-stats {
               unix_listener old-stats {
                 user = dovecot-exporter
                 group = dovecot-exporter
+                mode = 0660
               }
+              fifo_listener old-stats-mail {
+                mode = 0660
+                user = dovecot
+                group = dovecot
+              }
+              fifo_listener old-stats-user {
+                mode = 0660
+                user = dovecot
+                group = dovecot
+              }
+            }
+            plugin {
+              old_stats_refresh = 30 secs
+              old_stats_track_cmds = yes
             }
           ''';
         }

nixos/modules/services/monitoring/prometheus/exporters/mail.nix

@@ -112,6 +112,24 @@ let
       '';
       description = ''
         List of servers that should be probed.
+
+        <emphasis>Note:</emphasis> if your mailserver has <citerefentry>
+        <refentrytitle>rspamd</refentrytitle><manvolnum>8</manvolnum></citerefentry> configured,
+        it can happen that emails from this exporter are marked as spam.
+
+        It's possible to work around the issue with a config like this:
+        <programlisting>
+        {
+          <link linkend="opt-services.rspamd.locals._name_.text">services.rspamd.locals."multimap.conf".text</link> = '''
+            ALLOWLIST_PROMETHEUS {
+              filter = "email:domain:tld";
+              type = "from";
+              map = "''${pkgs.writeText "allowmap" "domain.tld"}";
+              score = -100.0;
+            }
+          ''';
+        }
+        </programlisting>
       '';
     };
   };

nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix

@@ -5,21 +5,19 @@ with lib;
 let
   cfg = config.services.prometheus.exporters.rspamd;
 
-  prettyJSON = conf:
+  mkFile = conf:
-    pkgs.runCommand "rspamd-exporter-config.yml" { } ''
+    pkgs.writeText "rspamd-exporter-config.yml" (builtins.toJSON conf);
-      echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq '.' > $out
-    '';
 
   generateConfig = extraLabels: {
     metrics = (map (path: {
-      name = "rspamd_${replaceStrings [ "." " " ] [ "_" "_" ] path}";
+      name = "rspamd_${replaceStrings [ "[" "." " " "]" "\\" "'" ] [ "_" "_" "_" "" "" "" ] path}";
       path = "{ .${path} }";
       labels = extraLabels;
     }) [
-      "actions.'add header'"
+      "actions['add\\ header']"
-      "actions.'no action'"
+      "actions['no\\ action']"
-      "actions.'rewrite subject'"
+      "actions['rewrite\\ subject']"
-      "actions.'soft reject'"
+      "actions['soft\\ reject']"
       "actions.greylist"
       "actions.reject"
       "bytes_allocated"
@@ -40,18 +38,18 @@ let
     ]) ++ [{
       name = "rspamd_statfiles";
       type = "object";
-      path = "$.statfiles[*]";
+      path = "{.statfiles[*]}";
       labels = recursiveUpdate {
-        symbol = "$.symbol";
+        symbol = "{.symbol}";
-        type = "$.type";
+        type = "{.type}";
       } extraLabels;
       values = {
-        revision = "$.revision";
+        revision = "{.revision}";
-        size = "$.size";
+        size = "{.size}";
-        total = "$.total";
+        total = "{.total}";
-        used = "$.used";
+        used = "{.used}";
-        languages = "$.languages";
+        languages = "{.languages}";
-        users = "$.users";
+        users = "{.users}";
       };
     }];
   };
@@ -76,7 +74,7 @@ in
   };
   serviceOpts.serviceConfig.ExecStart = ''
     ${pkgs.prometheus-json-exporter}/bin/json_exporter \
-      --config.file ${prettyJSON (generateConfig cfg.extraLabels)} \
+      --config.file ${mkFile (generateConfig cfg.extraLabels)} \
       --web.listen-address "${cfg.listenAddress}:${toString cfg.port}" \
       ${concatStringsSep " \\\n  " cfg.extraFlags}
   '';

nixos/modules/virtualisation/containers.nix

@@ -48,6 +48,23 @@ in
       description = "containers.conf configuration";
     };
 
+    containersConf.cniPlugins = mkOption {
+      type = types.listOf types.package;
+      defaultText = ''
+        [
+          pkgs.cni-plugins
+        ]
+      '';
+      example = lib.literalExample ''
+        [
+          pkgs.cniPlugins.dnsname
+        ]
+      '';
+      description = ''
+        CNI plugins to install on the system.
+      '';
+    };
+
     registries = {
       search = mkOption {
         type = types.listOf types.str;
@@ -97,8 +114,11 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+
+    virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ];
+
     virtualisation.containers.containersConf.settings = {
-      network.cni_plugin_dirs = [ "${pkgs.cni-plugins}/bin/" ];
+      network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins;
       engine = {
         init_path = "${pkgs.catatonit}/bin/catatonit";
       } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable {

nixos/modules/virtualisation/podman-dnsname.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib)
+    mkOption
+    mkIf
+    types
+    ;
+
+  cfg = config.virtualisation.podman;
+
+in
+{
+  options = {
+    virtualisation.podman = {
+
+      defaultNetwork.dnsname.enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable DNS resolution in the default podman network.
+        '';
+      };
+
+    };
+  };
+
+  config = {
+    virtualisation.containers.containersConf.cniPlugins = mkIf cfg.defaultNetwork.dnsname.enable [ pkgs.dnsname-cni ];
+    virtualisation.podman.defaultNetwork.extraPlugins =
+      lib.optional cfg.defaultNetwork.dnsname.enable {
+        type = "dnsname";
+        domainName = "dns.podman";
+        capabilities.aliases = true;
+      };
+  };
+}

nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix

@@ -0,0 +1,34 @@
+{ config, lib, pkg, ... }:
+let
+  inherit (lib)
+    mkOption
+    types
+    ;
+
+  cfg = config.virtualisation.podman.networkSocket;
+
+in
+{
+  options.virtualisation.podman.networkSocket = {
+    server = mkOption {
+      type = types.enum [ "ghostunnel" ];
+    };
+  };
+
+  config = lib.mkIf (cfg.enable && cfg.server == "ghostunnel") {
+
+    services.ghostunnel = {
+      enable = true;
+      servers."podman-socket" = {
+        inherit (cfg.tls) cert key cacert;
+        listen = "${cfg.listenAddress}:${toString cfg.port}";
+        target = "unix:/run/podman/podman.sock";
+        allowAll = lib.mkDefault true;
+      };
+    };
+    systemd.services.ghostunnel-server-podman-socket.serviceConfig.SupplementaryGroups = ["podman"];
+
+  };
+
+  meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+}

nixos/modules/virtualisation/podman-network-socket.nix

@@ -0,0 +1,91 @@
+{ config, lib, pkg, ... }:
+let
+  inherit (lib)
+    mkOption
+    types
+    ;
+
+  cfg = config.virtualisation.podman.networkSocket;
+
+in
+{
+  options.virtualisation.podman.networkSocket = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Make the Podman and Docker compatibility API available over the network
+        with TLS client certificate authentication.
+
+        This allows Docker clients to connect with the equivalents of the Docker
+        CLI <code>-H</code> and <code>--tls*</code> family of options.
+
+        For certificate setup, see https://docs.docker.com/engine/security/protect-access/
+
+        This option is independent of <xref linkend="opt-virtualisation.podman.dockerSocket.enable"/>.
+      '';
+    };
+
+    server = mkOption {
+      type = types.enum [];
+      description = ''
+        Choice of TLS proxy server.
+      '';
+      example = "ghostunnel";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to open the port in the firewall.
+      '';
+    };
+
+    tls.cacert = mkOption {
+      type = types.path;
+      description = ''
+        Path to CA certificate to use for client authentication.
+      '';
+    };
+
+    tls.cert = mkOption {
+      type = types.path;
+      description = ''
+        Path to certificate describing the server.
+      '';
+    };
+
+    tls.key = mkOption {
+      type = types.path;
+      description = ''
+        Path to the private key corresponding to the server certificate.
+
+        Use a string for this setting. Otherwise it will be copied to the Nix
+        store first, where it is readable by any system process.
+      '';
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 2376;
+      description = ''
+        TCP port number for receiving TLS connections.
+      '';
+    };
+    listenAddress = mkOption {
+      type = types.str;
+      default = "0.0.0.0";
+      description = ''
+        Interface address for receiving TLS connections.
+      '';
+    };
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts =
+      lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
+  };
+
+  meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+}

nixos/modules/virtualisation/podman.nix

@@ -1,7 +1,8 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.virtualisation.podman;
   toml = pkgs.formats.toml { };
+  json = pkgs.formats.json { };
 
   inherit (lib) mkOption types;
 
@@ -22,9 +23,24 @@ let
     done
   '';
 
+  net-conflist = pkgs.runCommand "87-podman-bridge.conflist" {
+    nativeBuildInputs = [ pkgs.jq ];
+    extraPlugins = builtins.toJSON cfg.defaultNetwork.extraPlugins;
+    jqScript = ''
+      . + { "plugins": (.plugins + $extraPlugins) }
+    '';
+  } ''
+    jq <${cfg.package}/etc/cni/net.d/87-podman-bridge.conflist \
+      --argjson extraPlugins "$extraPlugins" \
+      "$jqScript" \
+      >$out
+  '';
+
 in
 {
   imports = [
+    ./podman-dnsname.nix
+    ./podman-network-socket.nix
     (lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ])
   ];
 
@@ -46,6 +62,20 @@ in
         '';
       };
 
+    dockerSocket.enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Make the Podman socket available in place of the Docker socket, so
+        Docker tools can find the Podman socket.
+
+        Podman implements the Docker API.
+
+        Users must be in the <code>podman</code> group in order to connect. As
+        with Docker, members of this group can gain root access.
+      '';
+    };
+
     dockerCompat = mkOption {
       type = types.bool;
       default = false;
@@ -84,6 +114,13 @@ in
       '';
     };
 
+    defaultNetwork.extraPlugins = lib.mkOption {
+      type = types.listOf json.type;
+      default = [];
+      description = ''
+        Extra CNI plugin configurations to add to podman's default network.
+      '';
+    };
 
   };
 
@@ -92,7 +129,7 @@ in
       environment.systemPackages = [ cfg.package ]
         ++ lib.optional cfg.dockerCompat dockerCompat;
 
-      environment.etc."cni/net.d/87-podman-bridge.conflist".source = utils.copyFile "${pkgs.podman-unwrapped.src}/cni/87-podman-bridge.conflist";
+      environment.etc."cni/net.d/87-podman-bridge.conflist".source = net-conflist;
 
       virtualisation.containers = {
         enable = true; # Enable common /etc/containers configuration
@@ -111,14 +148,36 @@ in
       };
 
       systemd.sockets.podman.wantedBy = [ "sockets.target" ];
+      systemd.sockets.podman.socketConfig.SocketGroup = "podman";
 
-      systemd.tmpfiles.packages = [ cfg.package ];
+      systemd.tmpfiles.packages = [
+        # The /run/podman rule interferes with our podman group, so we remove
+        # it and let the systemd socket logic take care of it.
+        (pkgs.runCommand "podman-tmpfiles-nixos" { package = cfg.package; } ''
+          mkdir -p $out/lib/tmpfiles.d/
+          grep -v 'D! /run/podman 0700 root root' \
+            <$package/lib/tmpfiles.d/podman.conf \
+            >$out/lib/tmpfiles.d/podman.conf
+        '') ];
+
+      systemd.tmpfiles.rules =
+        lib.optionals cfg.dockerSocket.enable [
+          "L! /run/docker.sock - - - - /run/podman/podman.sock"
+        ];
+
+      users.groups.podman = {};
 
       assertions = [
         {
           assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable;
           message = "Option dockerCompat conflicts with docker";
         }
+        {
+          assertion = cfg.dockerSocket.enable -> !config.virtualisation.docker.enable;
+          message = ''
+            The options virtualisation.podman.dockerSocket.enable and virtualisation.docker.enable conflict, because only one can serve the socket.
+          '';
+        }
       ];
     }
   ]);

nixos/tests/all-tests.nix

@@ -335,6 +335,8 @@ in
   plotinus = handleTest ./plotinus.nix {};
   podgrab = handleTest ./podgrab.nix {};
   podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
+  podman-dnsname = handleTestOn ["x86_64-linux"] ./podman-dnsname.nix {};
+  podman-tls-ghostunnel = handleTestOn ["x86_64-linux"] ./podman-tls-ghostunnel.nix {};
   pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
   postfix = handleTest ./postfix.nix {};
   postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {};

nixos/tests/docker-tools.nix

@@ -20,6 +20,20 @@ import ./make-test-python.nix ({ pkgs, ... }: {
 
     docker.wait_for_unit("sockets.target")
 
+    with subtest("includeStorePath"):
+        with subtest("assumption"):
+            docker.succeed("${examples.helloOnRoot} | docker load")
+            docker.succeed("set -euo pipefail; docker run --rm hello | grep -i hello")
+            docker.succeed("docker image rm hello:latest")
+        with subtest("includeStorePath = false; breaks example"):
+            docker.succeed("${examples.helloOnRootNoStore} | docker load")
+            docker.fail("set -euo pipefail; docker run --rm hello | grep -i hello")
+            docker.succeed("docker image rm hello:latest")
+        with subtest("includeStorePath = false; works with mounted store"):
+            docker.succeed("${examples.helloOnRootNoStore} | docker load")
+            docker.succeed("set -euo pipefail; docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello")
+            docker.succeed("docker image rm hello:latest")
+
     with subtest("Ensure Docker images use a stable date by default"):
         docker.succeed(
             "docker load --input='${examples.bash}'"

nixos/tests/podman-dnsname.nix

@@ -0,0 +1,42 @@
+import ./make-test-python.nix (
+  { pkgs, lib, ... }:
+  let
+    inherit (pkgs) writeTextDir python3 curl;
+    webroot = writeTextDir "index.html" "<h1>Hi</h1>";
+  in
+  {
+    name = "podman-dnsname";
+    meta = {
+      maintainers = with lib.maintainers; [ roberth ] ++ lib.teams.podman.members;
+    };
+
+    nodes = {
+      podman = { pkgs, ... }: {
+        virtualisation.podman.enable = true;
+        virtualisation.podman.defaultNetwork.dnsname.enable = true;
+      };
+    };
+
+    testScript = ''
+      podman.wait_for_unit("sockets.target")
+
+      with subtest("DNS works"): # also tests inter-container tcp routing
+        podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+        podman.succeed(
+          "podman run -d --name=webserver -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin -w ${webroot} scratchimg ${python3}/bin/python -m http.server 8000"
+        )
+        podman.succeed("podman ps | grep webserver")
+        podman.succeed("""
+          for i in `seq 0 120`; do
+            podman run --rm --name=client -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg ${curl}/bin/curl http://webserver:8000 >/dev/console \
+              && exit 0
+            sleep 0.5
+          done
+          exit 1
+        """)
+        podman.succeed("podman stop webserver")
+        podman.succeed("podman rm webserver")
+
+    '';
+  }
+)

nixos/tests/podman-tls-ghostunnel.nix

@@ -0,0 +1,150 @@
+/*
+  This test runs podman as a backend for the Docker CLI.
+ */
+import ./make-test-python.nix (
+  { pkgs, lib, ... }:
+
+  let gen-ca = pkgs.writeScript "gen-ca" ''
+    # Create CA
+    PATH="${pkgs.openssl}/bin:$PATH"
+    openssl genrsa -out ca-key.pem 4096
+    openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem
+
+    # Create service
+    openssl genrsa -out podman-key.pem 4096
+    openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr
+    echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf
+    echo extendedKeyUsage = serverAuth >> extfile.cnf
+    openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf
+
+    # Create client
+    openssl genrsa -out client-key.pem 4096
+    openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
+    echo extendedKeyUsage = clientAuth > extfile-client.cnf
+    openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf
+
+    # Create CA 2
+    PATH="${pkgs.openssl}/bin:$PATH"
+    openssl genrsa -out ca-2-key.pem 4096
+    openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem
+
+    # Create client signed by CA 2
+    openssl genrsa -out client-2-key.pem 4096
+    openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr
+    echo extendedKeyUsage = clientAuth > extfile-client.cnf
+    openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf
+
+    '';
+  in
+  {
+    name = "podman-tls-ghostunnel";
+    meta = {
+      maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+    };
+
+    nodes = {
+      podman =
+        { pkgs, ... }:
+        {
+          virtualisation.podman.enable = true;
+          virtualisation.podman.dockerSocket.enable = true;
+          virtualisation.podman.networkSocket = {
+            enable = true;
+            openFirewall = true;
+            server = "ghostunnel";
+            tls.cert = "/root/podman-cert.pem";
+            tls.key = "/root/podman-key.pem";
+            tls.cacert = "/root/ca.pem";
+          };
+
+          environment.systemPackages = [
+            pkgs.docker-client
+          ];
+
+          users.users.alice = {
+            isNormalUser = true;
+            home = "/home/alice";
+            description = "Alice Foobar";
+            extraGroups = ["podman"];
+          };
+
+        };
+
+      client = { ... }: {
+        environment.systemPackages = [
+          # Installs the docker _client_ only
+          # Normally, you'd want `virtualisation.docker.enable = true;`.
+          pkgs.docker-client
+        ];
+        environment.variables.DOCKER_HOST = "podman:2376";
+        environment.variables.DOCKER_TLS_VERIFY = "1";
+      };
+    };
+
+    testScript = ''
+      import shlex
+
+
+      def su_cmd(user, cmd):
+          cmd = shlex.quote(cmd)
+          return f"su {user} -l -c {cmd}"
+
+      def cmd(command):
+        print(f"+{command}")
+        r = os.system(command)
+        if r != 0:
+          raise Exception(f"Command {command} failed with exit code {r}")
+
+      start_all()
+      cmd("${gen-ca}")
+
+      podman.copy_from_host("ca.pem", "/root/ca.pem")
+      podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
+      podman.copy_from_host("podman-key.pem", "/root/podman-key.pem")
+
+      client.copy_from_host("ca.pem", "/root/.docker/ca.pem")
+      # client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
+      client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem")
+      client.copy_from_host("client-key.pem", "/root/.docker/key.pem")
+
+      # TODO (ghostunnel): add file watchers so the restart isn't necessary
+      podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service")
+
+      podman.wait_for_unit("sockets.target")
+      podman.wait_for_unit("ghostunnel-server-podman-socket.service")
+
+      with subtest("Create default network"):
+          podman.succeed("docker network create default")
+
+      with subtest("Root docker cli also works"):
+          podman.succeed("docker version")
+
+      with subtest("A podman member can also still use the docker cli"):
+          podman.succeed(su_cmd("alice", "docker version"))
+
+      with subtest("Run container remotely via docker cli"):
+          client.succeed("docker version")
+
+          # via socket would be nicer
+          podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+
+          client.succeed(
+            "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+          )
+          client.succeed("docker ps | grep sleeping")
+          podman.succeed("docker ps | grep sleeping")
+          client.succeed("docker stop sleeping")
+          client.succeed("docker rm sleeping")
+
+      with subtest("Clients without cert will be denied"):
+          client.succeed("rm /root/.docker/{cert,key}.pem")
+          client.fail("docker version")
+
+      with subtest("Clients with wrong cert will be denied"):
+          client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem")
+          client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem")
+          client.fail("docker version")
+
+    '';
+  }
+)

nixos/tests/podman.nix

@@ -13,10 +13,23 @@ import ./make-test-python.nix (
         {
           virtualisation.podman.enable = true;
 
+          # To test docker socket support
+          virtualisation.podman.dockerSocket.enable = true;
+          environment.systemPackages = [
+            pkgs.docker-client
+          ];
+
           users.users.alice = {
             isNormalUser = true;
             home = "/home/alice";
             description = "Alice Foobar";
+            extraGroups = [ "podman" ];
+          };
+
+          users.users.mallory = {
+            isNormalUser = true;
+            home = "/home/mallory";
+            description = "Mallory Foobar";
           };
 
         };
@@ -26,9 +39,9 @@ import ./make-test-python.nix (
       import shlex
 
 
-      def su_cmd(cmd):
+      def su_cmd(cmd, user = "alice"):
           cmd = shlex.quote(cmd)
-          return f"su alice -l -c {cmd}"
+          return f"su {user} -l -c {cmd}"
 
 
       podman.wait_for_unit("sockets.target")
@@ -105,6 +118,27 @@ import ./make-test-python.nix (
           assert pid == "1"
           pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip()
           assert pid == "2"
+
+      with subtest("A podman member can use the docker cli"):
+          podman.succeed(su_cmd("docker version"))
+
+      with subtest("Run container via docker cli"):
+          podman.succeed("docker network create default")
+          podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+          podman.succeed(
+            "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+          )
+          podman.succeed("docker ps | grep sleeping")
+          podman.succeed("podman ps | grep sleeping")
+          podman.succeed("docker stop sleeping")
+          podman.succeed("docker rm sleeping")
+          podman.succeed("docker network rm default")
+
+      with subtest("A podman non-member can not use the docker cli"):
+          podman.fail(su_cmd("docker version", user="mallory"))
+
+      # TODO: add docker-compose test
+
     '';
   }
 )

pkgs/applications/audio/dr14_tmeter/default.nix

@@ -14,7 +14,7 @@ python3Packages.buildPythonApplication rec {
   };
 
   propagatedBuildInputs = with pkgs; [
-    python3Packages.numpy flac vorbis-tools ffmpeg_3 faad2 lame
+    python3Packages.numpy flac vorbis-tools ffmpeg faad2 lame
   ];
 
   # There are no tests

pkgs/applications/audio/schismtracker/default.nix

@@ -1,19 +1,25 @@
-{ lib, stdenv, fetchFromGitHub
+{ lib
+, stdenv
+, fetchFromGitHub
 , autoreconfHook
-, alsaLib, python, SDL }:
+, alsaLib
+, python
+, SDL
+}:
 
 stdenv.mkDerivation rec {
   pname = "schismtracker";
-  version = "20200412";
+  version = "20210525";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = version;
-    sha256 = "1n6cgjiw3vkv7a1h1nki5syyjxjb6icknr9s049w2jrag10bxssn";
+    sha256 = "06ybkbqry7f7lmzgwb9s7ipafshl5gdj98lcjsjkcbnywj8r9b3h";
   };
 
-  configureFlags = [ "--enable-dependency-tracking" ];
+  configureFlags = [ "--enable-dependency-tracking" ]
+    ++ lib.optional stdenv.isDarwin "--disable-sdltest";
 
   nativeBuildInputs = [ autoreconfHook python ];
 
@@ -22,8 +28,8 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Music tracker application, free reimplementation of Impulse Tracker";
     homepage = "http://schismtracker.org/";
-    license = licenses.gpl2;
+    license = licenses.gpl2Plus;
-    platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" ];
+    platforms = platforms.unix;
     maintainers = with maintainers; [ ftrvxmtrx ];
   };
 }

pkgs/applications/graphics/antimony/default.nix

@@ -1,6 +1,7 @@
 { lib, stdenv, fetchFromGitHub, libpng, python3
 , libGLU, libGL, qtbase, wrapQtAppsHook, ncurses
 , cmake, flex, lemon
+, makeDesktopItem, copyDesktopItems
 }:
 
 let
@@ -27,12 +28,35 @@ in
        sed -i "s,python3,${python3.executable}," CMakeLists.txt
     '';
 
+    postInstall = lib.optionalString stdenv.isLinux ''
+      install -Dm644 $src/deploy/icon.svg $out/share/icons/hicolor/scalable/apps/antimony.svg
+      install -Dm644 ${./mimetype.xml} $out/share/mime/packages/antimony.xml
+    '';
+
     buildInputs = [
       libpng python3 python3.pkgs.boost
       libGLU libGL qtbase ncurses
     ];
 
-    nativeBuildInputs = [ cmake flex lemon wrapQtAppsHook ];
+    nativeBuildInputs = [ cmake flex lemon wrapQtAppsHook copyDesktopItems ];
+
+    desktopItems = [
+      (makeDesktopItem {
+        name = "antimony";
+        desktopName = "Antimony";
+        comment="Tree-based Modeler";
+        genericName = "CAD Application";
+        exec = "antimony %f";
+        icon = "antimony";
+        terminal = "false";
+        categories = "Graphics;Science;Engineering";
+        mimeType = "application/x-extension-sb;application/x-antimony;";
+        extraEntries = ''
+          StartupWMClass=antimony
+          Version=1.0
+        '';
+      })
+    ];
 
     cmakeFlags= [
       "-DGITREV=${gitRev}"

pkgs/applications/graphics/antimony/mimetype.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<mime-info xmlns="http://www.freedesktop.org/standards/shared-mime-info">
+  <mime-type type="application/x-antimony">
+    <comment xml:lang="en">Antimony model</comment>
+    <glob pattern="*.sb"/>
+  </mime-type>
+</mime-info>

pkgs/applications/misc/blender/darwin.patch

@@ -1,5 +1,4 @@
 diff --git a/build_files/cmake/platform/platform_apple.cmake b/build_files/cmake/platform/platform_apple.cmake
-index 31da529..90308aa 100644
 --- a/build_files/cmake/platform/platform_apple.cmake
 +++ b/build_files/cmake/platform/platform_apple.cmake
 @@ -77,7 +77,6 @@ else()
@@ -10,7 +9,7 @@ index 31da529..90308aa 100644
  endif()
  
  # Prefer lib directory paths
-@@ -113,10 +112,6 @@ if(WITH_CODEC_SNDFILE)
+@@ -114,10 +113,6 @@ if(WITH_CODEC_SNDFILE)
    find_library(_sndfile_VORBIS_LIBRARY NAMES vorbis HINTS ${LIBDIR}/ffmpeg/lib)
    find_library(_sndfile_VORBISENC_LIBRARY NAMES vorbisenc HINTS ${LIBDIR}/ffmpeg/lib)
    list(APPEND LIBSNDFILE_LIBRARIES
@@ -21,16 +20,16 @@ index 31da529..90308aa 100644
    )
  
    print_found_status("SndFile libraries" "${LIBSNDFILE_LIBRARIES}")
-@@ -133,7 +128,7 @@ if(WITH_PYTHON)
+@@ -134,7 +129,7 @@ if(WITH_PYTHON)
      # normally cached but not since we include them with blender
-     set(PYTHON_INCLUDE_DIR "${LIBDIR}/python/include/python${PYTHON_VERSION}m")
+     set(PYTHON_INCLUDE_DIR "${LIBDIR}/python/include/python${PYTHON_VERSION}")
-     set(PYTHON_EXECUTABLE "${LIBDIR}/python/bin/python${PYTHON_VERSION}m")
+     set(PYTHON_EXECUTABLE "${LIBDIR}/python/bin/python${PYTHON_VERSION}")
--    set(PYTHON_LIBRARY ${LIBDIR}/python/lib/libpython${PYTHON_VERSION}m.a)
+-    set(PYTHON_LIBRARY ${LIBDIR}/python/lib/libpython${PYTHON_VERSION}.a)
-+    set(PYTHON_LIBRARY "${LIBDIR}/python/lib/libpython${PYTHON_VERSION}m.dylib")
++    set(PYTHON_LIBRARY ${LIBDIR}/python/lib/libpython${PYTHON_VERSION}.dylib)
      set(PYTHON_LIBPATH "${LIBDIR}/python/lib/python${PYTHON_VERSION}")
      # set(PYTHON_LINKFLAGS "-u _PyMac_Error")  # won't  build with this enabled
    else()
-@@ -174,9 +169,7 @@ endif()
+@@ -175,9 +170,7 @@ endif()
  if(WITH_CODEC_FFMPEG)
    set(FFMPEG_FIND_COMPONENTS
      avcodec avdevice avformat avutil
@@ -41,7 +40,7 @@ index 31da529..90308aa 100644
    find_package(FFmpeg)
  endif()
  
-@@ -267,7 +260,6 @@ if(WITH_BOOST)
+@@ -275,7 +268,6 @@ if(WITH_BOOST)
  endif()
  
  if(WITH_INTERNATIONAL OR WITH_CODEC_FFMPEG)
@@ -49,7 +48,7 @@ index 31da529..90308aa 100644
  endif()
  
  if(WITH_PUGIXML)
-@@ -451,7 +443,7 @@ else()
+@@ -476,7 +468,7 @@ else()
    set(CMAKE_CXX_FLAGS_RELEASE "-O2 -mdynamic-no-pic")
  endif()
  

pkgs/applications/misc/blender/default.nix

@@ -1,7 +1,7 @@
 { config, stdenv, lib, fetchurl, fetchzip, boost, cmake, ffmpeg, gettext, glew
 , ilmbase, libXi, libX11, libXext, libXrender
 , libjpeg, libpng, libsamplerate, libsndfile
-, libtiff, libGLU, libGL, openal, opencolorio, openexr, openimagedenoise, openimageio2, openjpeg, python3Packages
+, libtiff, libGLU, libGL, openal, opencolorio, openexr, openimagedenoise, openimageio2, openjpeg, python39Packages
 , openvdb, libXxf86vm, tbb, alembic
 , zlib, fftw, opensubdiv, freetype, jemalloc, ocl-icd, addOpenGLRunpath
 , jackaudioSupport ? false, libjack2
@@ -17,7 +17,7 @@
 
 with lib;
 let
-  python = python3Packages.python;
+  python = python39Packages.python;
   optix = fetchzip {
     url = "https://developer.download.nvidia.com/redist/optix/v7.0/OptiX-7.0.0-include.zip";
     sha256 = "1b3ccd3197anya2bj3psxdrvrpfgiwva5zfv2xmyrl73nb2dvfr7";
@@ -26,16 +26,16 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "blender";
-  version = "2.92.0";
+  version = "2.93.0";
 
   src = fetchurl {
     url = "https://download.blender.org/source/${pname}-${version}.tar.xz";
-    sha256 = "15a5vffn18a920286x0avbc2rap56k6y531wgibq68r90g2cz4g7";
+    sha256 = "0f2rpqa39sir6g90khd2d2fs4kss0zhk7vya1nscf5yp8r566fxs";
   };
 
   patches = lib.optional stdenv.isDarwin ./darwin.patch;
 
-  nativeBuildInputs = [ cmake makeWrapper python3Packages.wrapPython llvmPackages.llvm.dev ]
+  nativeBuildInputs = [ cmake makeWrapper python39Packages.wrapPython llvmPackages.llvm.dev ]
     ++ optionals cudaSupport [ addOpenGLRunpath ];
   buildInputs =
     [ boost ffmpeg gettext glew ilmbase
@@ -64,7 +64,7 @@ stdenv.mkDerivation rec {
     ++ optional cudaSupport cudatoolkit
     ++ optional colladaSupport opencollada
     ++ optional spaceNavSupport libspnav;
-  pythonPath = with python3Packages; [ numpy requests ];
+  pythonPath = with python39Packages; [ numpy requests ];
 
   postPatch = ''
     # allow usage of dynamically linked embree
@@ -78,16 +78,12 @@ stdenv.mkDerivation rec {
         --replace '${"$"}{LIBDIR}/openmp' \
                   '${llvmPackages.openmp}'
       substituteInPlace build_files/cmake/platform/platform_apple.cmake \
-        --replace 'set(PYTHON_VERSION 3.7)' \
-                  'set(PYTHON_VERSION ${python.pythonVersion})' \
-        --replace '${"$"}{PYTHON_VERSION}m' \
-                  '${"$"}{PYTHON_VERSION}' \
         --replace '${"$"}{LIBDIR}/python' \
                   '${python}' \
         --replace '${"$"}{LIBDIR}/opencollada' \
                   '${opencollada}' \
         --replace '${"$"}{PYTHON_LIBPATH}/site-packages/numpy' \
-                  '${python3Packages.numpy}/${python.sitePackages}/numpy'
+                  '${python39Packages.numpy}/${python.sitePackages}/numpy'
     '' else ''
       substituteInPlace extern/clew/src/clew.c --replace '"libOpenCL.so"' '"${ocl-icd}/lib/libOpenCL.so"'
     '');
@@ -109,8 +105,8 @@ stdenv.mkDerivation rec {
       "-DPYTHON_VERSION=${python.pythonVersion}"
       "-DWITH_PYTHON_INSTALL=OFF"
       "-DWITH_PYTHON_INSTALL_NUMPY=OFF"
-      "-DPYTHON_NUMPY_PATH=${python3Packages.numpy}/${python.sitePackages}"
+      "-DPYTHON_NUMPY_PATH=${python39Packages.numpy}/${python.sitePackages}"
-      "-DPYTHON_NUMPY_INCLUDE_DIRS=${python3Packages.numpy}/${python.sitePackages}/numpy/core/include"
+      "-DPYTHON_NUMPY_INCLUDE_DIRS=${python39Packages.numpy}/${python.sitePackages}/numpy/core/include"
       "-DWITH_PYTHON_INSTALL_REQUESTS=OFF"
       "-DWITH_OPENVDB=ON"
       "-DWITH_TBB=ON"

pkgs/applications/networking/browsers/chromium/common.nix

@@ -165,14 +165,10 @@ let
       ./patches/widevine-79.patch # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags
       # Fix the build by adding a missing dependency (s. https://crbug.com/1197837):
       ./patches/fix-missing-atspi2-dependency.patch
-    ] ++ optionals (chromiumVersionAtLeast "91") [
       ./patches/closure_compiler-Use-the-Java-binary-from-the-system.patch
     ];
 
-    postPatch = lib.optionalString (chromiumVersionAtLeast "91") ''
+    postPatch = ''
-      # Required for patchShebangs (unsupported):
-      chmod -x third_party/webgpu-cts/src/tools/deno
-    '' + ''
       # remove unused third-party
       for lib in ${toString gnSystemLibraries}; do
         if [ -d "third_party/$lib" ]; then
@@ -191,6 +187,7 @@ let
         substituteInPlace third_party/harfbuzz-ng/src/src/update-unicode-tables.make \
           --replace "/usr/bin/env -S make -f" "/usr/bin/make -f"
       fi
+      chmod -x third_party/webgpu-cts/src/tools/deno
 
       # We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
       substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \

pkgs/applications/networking/browsers/chromium/upstream-info.json

@@ -44,19 +44,19 @@
     }
   },
   "ungoogled-chromium": {
-    "version": "90.0.4430.212",
+    "version": "91.0.4472.77",
-    "sha256": "17nmhrkl81qqvzbh861k2mmifncx4wg1mv1fmn52f8gzn461vqdb",
+    "sha256": "0c8vj3gq3nmb7ssiwj6875g0a8hcprss1a4gqw9h7llqywza9ma5",
-    "sha256bin64": "1y33c5829s22yfj0qmsj8fpcxnjhcm3fsxz7744csfsa9cy4fjr7",
+    "sha256bin64": "0caf47xam5igdnbhipal1iyicnxxvadhi61k199rwysrvyv5sdad",
     "deps": {
       "gn": {
-        "version": "2021-02-09",
+        "version": "2021-04-06",
         "url": "https://gn.googlesource.com/gn",
-        "rev": "dfcbc6fed0a8352696f92d67ccad54048ad182b3",
+        "rev": "dba01723a441c358d843a575cb7720d54ddcdf92",
-        "sha256": "1941bzg37c4dpsk3sh6ga3696gpq6vjzpcw9rsnf6kdr9mcgdxvn"
+        "sha256": "199xkks67qrn0xa5fhp24waq2vk8qb78a96cb3kdd8v1hgacgb8x"
       },
       "ungoogled-patches": {
-        "rev": "90.0.4430.212-1",
+        "rev": "91.0.4472.77-1",
-        "sha256": "05jh05a4g50ws7pr18dl5pwi95knygh6xywp7kyydir7wy1pbin8"
+        "sha256": "1jfmmkw1y4rcjfgsm7b4v2lrgd3sks5qpajvq0djflbhkpsqxfk0"
       }
     }
   }

pkgs/applications/networking/browsers/firefox/common.nix

@@ -16,6 +16,10 @@
 
 ### optionals
 
+## backported libraries
+
+, rust-cbindgen_latest
+
 ## optional libraries
 
 , alsaSupport ? stdenv.isLinux, alsaLib
@@ -90,6 +94,8 @@ let
             then "/Applications/${binaryNameCapitalized}.app/Contents/MacOS"
             else "/bin";
 
+  rust-cbindgen_pkg = if lib.versionAtLeast ffversion "89" then rust-cbindgen_latest else rust-cbindgen;
+
   # 78 ESR won't build with rustc 1.47
   inherit (if lib.versionAtLeast ffversion "82" then rustPackages else rustPackages_1_45)
     rustc cargo;
@@ -226,7 +232,7 @@ buildStdenv.mkDerivation ({
       perl
       pkg-config
       python3
-      rust-cbindgen
+      rust-cbindgen_pkg
       rustc
       which
       unzip

pkgs/applications/networking/browsers/firefox/packages.nix

@@ -7,10 +7,10 @@ in
 rec {
   firefox = common rec {
     pname = "firefox";
-    ffversion = "88.0.1";
+    ffversion = "89.0";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${ffversion}/source/firefox-${ffversion}.source.tar.xz";
-      sha512 = "e2d7fc950ba49f225c83ee1d799d6318fcf16c33a3b7f40b85c49d5b7865f7e632c703e5fd227a303b56e2565d0796283ebb12d7fd1a02781dcaa45e84cea934";
+      sha512 = "5089720feda15d054d0aa4c3bdeb84760314dadd6381d7360e688d8e396154868220c6315add650d8d2a42652cb8a9bfeb833885812ef0bd70a74ee58ad18aa3";
     };
 
     meta = {
@@ -32,10 +32,10 @@ rec {
 
   firefox-esr-78 = common rec {
     pname = "firefox-esr";
-    ffversion = "78.10.1esr";
+    ffversion = "78.11.0esr";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${ffversion}/source/firefox-${ffversion}.source.tar.xz";
-      sha512 = "a22773d9b3f0dca253805257f358a906769d23f15115e3a8851024f701e27dee45f056f7d34ebf1fcde0a3f91ec299639c2a12556e938a232cdea9e59835fde1";
+      sha512 = "d02fc2eda587155b1c54ca12a6c5cde220a29f41f154f1c9b71ae8f966d8cc9439201a5b241e03fc0795b74e2479f7aa5d6b69f70b7639432e5382f321f7a6f4";
     };
 
     meta = {

pkgs/applications/networking/browsers/qutebrowser/default.nix

@@ -31,12 +31,12 @@ let
 
 in mkDerivationWith python3Packages.buildPythonApplication rec {
   pname = "qutebrowser";
-  version = "2.2.2";
+  version = "2.2.3";
 
   # the release tarballs are different from the git checkout!
   src = fetchurl {
     url = "https://github.com/qutebrowser/qutebrowser/releases/download/v${version}/${pname}-${version}.tar.gz";
-    sha256 = "11vjp20gzmdjj09b7wxzn7ar6viih0bk76y618yqsyqqkffylmbq";
+    sha256 = "sha256-BoP168jxj94nvkrcgC83fPw/TPRsI2PbCooqzWNF62I=";
   };
 
   # Needs tox

pkgs/applications/networking/cluster/dnsname-cni/default.nix

@@ -0,0 +1,42 @@
+{
+  buildGoModule,
+  dnsmasq,
+  fetchFromGitHub,
+  lib,
+  nixosTests,
+  makeWrapper,
+}:
+
+buildGoModule rec {
+  pname = "cni-plugin-dnsname";
+  version = "1.1.1";
+
+  src = fetchFromGitHub {
+    owner = "containers";
+    repo = "dnsname";
+    rev = "v${version}";
+    sha256 = "090kpq2ppan9ayajdk5vwbvww30nphylgajn2p3441d4jg2nvsm3";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+  postInstall = ''
+    wrapProgram $out/bin/dnsname --prefix PATH : ${lib.makeBinPath [ dnsmasq ]}
+  '';
+
+  vendorSha256 = null;
+  subPackages = [ "plugins/meta/dnsname" ];
+
+  doCheck = false; # NOTE: requires root privileges
+
+  passthru.tests = {
+    inherit (nixosTests) podman-dnsname;
+  };
+
+  meta = with lib; {
+    description = "DNS name resolution for containers";
+    homepage = "https://github.com/containers/dnsname";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mikroskeem ];
+  };
+}

pkgs/applications/networking/cluster/tilt/default.nix

@@ -5,13 +5,13 @@ buildGoModule rec {
   /* Do not use "dev" as a version. If you do, Tilt will consider itself
     running in development environment and try to serve assets from the
     source tree, which is not there once build completes.  */
-  version = "0.18.10";
+  version = "0.20.5";
 
   src = fetchFromGitHub {
     owner  = "tilt-dev";
     repo   = pname;
     rev    = "v${version}";
-    sha256 = "sha256-SvvvHGR3UPyV61MaoFB68SaZKUT3ItYOPT1a7AddxlY=";
+    sha256 = "sha256-pUKKHrShED7yp5WSmHSbS+eiYs22Nm2/ouc2a8WYc38=";
   };
   vendorSha256 = null;
 

pkgs/applications/networking/instant-messengers/discord/base.nix

@@ -23,7 +23,7 @@ in stdenv.mkDerivation rec {
     libXScrnSaver
     libXtst
     libxcb
-    mesa.drivers
+    mesa
     nss
     wrapGAppsHook
   ];
@@ -31,7 +31,7 @@ in stdenv.mkDerivation rec {
   dontWrapGApps = true;
 
   libPath = lib.makeLibraryPath [
-    libcxx systemd libpulseaudio
+    libcxx systemd libpulseaudio libdrm mesa
     stdenv.cc.cc alsaLib atk at-spi2-atk at-spi2-core cairo cups dbus expat fontconfig freetype
     gdk-pixbuf glib gtk3 libnotify libX11 libXcomposite libuuid
     libXcursor libXdamage libXext libXfixes libXi libXrandr libXrender
@@ -50,7 +50,7 @@ in stdenv.mkDerivation rec {
     wrapProgram $out/opt/${binaryName}/${binaryName} \
         "''${gappsWrapperArgs[@]}" \
         --prefix XDG_DATA_DIRS : "${gtk3}/share/gsettings-schemas/${gtk3.name}/" \
-        --prefix LD_LIBRARY_PATH : ${libPath}
+        --prefix LD_LIBRARY_PATH : ${libPath}:$out/opt/${binaryName}
 
     ln -s $out/opt/${binaryName}/${binaryName} $out/bin/
     ln -s $out/opt/${binaryName}/discord.png $out/share/pixmaps/${pname}.png

pkgs/applications/networking/instant-messengers/discord/default.nix

@@ -7,30 +7,30 @@ in {
     pname = "discord";
     binaryName = "Discord";
     desktopName = "Discord";
-    version = "0.0.14";
+    version = "0.0.15";
     src = fetchurl {
       url = "https://dl.discordapp.net/apps/linux/${version}/discord-${version}.tar.gz";
-      sha256 = "1rq490fdl5pinhxk8lkfcfmfq7apj79jzf3m14yql1rc9gpilrf2";
+      sha256 = "0pn2qczim79hqk2limgh88fsn93sa8wvana74mpdk5n6x5afkvdd";
     };
   };
   ptb = callPackage ./base.nix rec {
     pname = "discord-ptb";
     binaryName = "DiscordPTB";
     desktopName = "Discord PTB";
-    version = "0.0.23";
+    version = "0.0.25";
     src = fetchurl {
       url = "https://dl-ptb.discordapp.net/apps/linux/${version}/discord-ptb-${version}.tar.gz";
-      sha256 = "0vxz68vldrbmmw1alpwl7blfcy6byd6zg9m0851dm0p0ldyhsp5j";
+      sha256 = "082ygmsycicddpkv5s03vw3rjkrk4lgprq29z8b1hdjifvw93b21";
     };
   };
   canary = callPackage ./base.nix rec {
     pname = "discord-canary";
     binaryName = "DiscordCanary";
     desktopName = "Discord Canary";
-    version = "0.0.122";
+    version = "0.0.123";
     src = fetchurl {
       url = "https://dl-canary.discordapp.net/apps/linux/${version}/discord-canary-${version}.tar.gz";
-      sha256 = "0ph7gp77wzjpr7nhv13fg64j97dxjwmivshr56ly3kjhmvvanj7k";
+      sha256 = "0bijwfsd9s4awqkgxd9c2cxh7y5r06vix98qjp0dkv63r6jig8ch";
     };
   };
 }.${branch}

pkgs/applications/networking/instant-messengers/telegram/tdesktop/default.nix

@@ -2,11 +2,11 @@
 , pkg-config, cmake, ninja, python3, wrapGAppsHook, wrapQtAppsHook, removeReferencesTo
 , qtbase, qtimageformats, gtk3, libsForQt5, enchant2, lz4, xxHash
 , dee, ffmpeg, openalSoft, minizip, libopus, alsaLib, libpulseaudio, range-v3
-, tl-expected, hunspell, glibmm, webkitgtk
+, tl-expected, hunspell, glibmm, webkitgtk, libtgvoip
 # Transitive dependencies:
 , pcre, xorg, util-linux, libselinux, libsepol, epoxy
 , at-spi2-core, libXtst, libthai, libdatrie
-, xdg-utils
+, xdg-utils, libsysprof-capture, libpsl, brotli
 }:
 
 with lib;
@@ -20,27 +20,33 @@ with lib;
 
 let
   tg_owt = callPackage ./tg_owt.nix {};
-  webviewPatch = fetchpatch {
-    url = "https://raw.githubusercontent.com/archlinux/svntogit-community/013eff77a13b6c2629a04e07a4d09dbe60c8ca48/trunk/fix-webview-includes.patch";
-    sha256 = "0112zaysf3f02dd4bgqc5hwg66h1bfj8r4yjzb06sfi0pl9vl96l";
-  };
-
 in mkDerivation rec {
   pname = "telegram-desktop";
-  version = "2.7.4";
+  version = "2.7.5";
 
   # Telegram-Desktop with submodules
   src = fetchurl {
     url = "https://github.com/telegramdesktop/tdesktop/releases/download/v${version}/tdesktop-${version}-full.tar.gz";
-    sha256 = "1cigqvxa8lp79y7sp2w2izmmikxaxzrq9bh5ns3cy16z985nyllp";
+    sha256 = "sha256-9GxBw5ii9Musjq7D3KMf/P5BA4h690EgXRbhynHwO98=";
   };
 
+  patches = [
+    # fixes issue with ffmpeg>=4.4 crashes, hasn't been upstreamed yet
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/gentoo/gentoo/1c91884873968997be4b0c954169d04dc839f1db/net-im/telegram-desktop/files/tdesktop-2.7.4-voice-crash.patch";
+      sha256 = "sha256-inLXcP70yJlkkmdeXlc3HRL7Vt+Sf00LLJG33gwBKdY=";
+    })
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/gentoo/gentoo/1c91884873968997be4b0c954169d04dc839f1db/net-im/telegram-desktop/files/tdesktop-2.7.4-voice-ffmpeg44.patch";
+      sha256 = "sha256-p57LipNf7BDhVvNKRuicVqx0vU6IBL/Cvr5BAfLF4Hs=";
+    })
+  ];
+
   postPatch = ''
     substituteInPlace Telegram/lib_spellcheck/spellcheck/platform/linux/linux_enchant.cpp \
       --replace '"libenchant-2.so.2"' '"${enchant2}/lib/libenchant-2.so.2"'
     substituteInPlace Telegram/CMakeLists.txt \
       --replace '"''${TDESKTOP_LAUNCHER_BASENAME}.appdata.xml"' '"''${TDESKTOP_LAUNCHER_BASENAME}.metainfo.xml"'
-    patch -d Telegram/lib_webview -p1 < "${webviewPatch}"
   '';
 
   # We want to run wrapProgram manually (with additional parameters)
@@ -53,10 +59,10 @@ in mkDerivation rec {
     qtbase qtimageformats gtk3 libsForQt5.kwayland libsForQt5.libdbusmenu enchant2 lz4 xxHash
     dee ffmpeg openalSoft minizip libopus alsaLib libpulseaudio range-v3
     tl-expected hunspell glibmm webkitgtk
-    tg_owt
+    tg_owt libtgvoip
     # Transitive dependencies:
     pcre xorg.libpthreadstubs xorg.libXdmcp util-linux libselinux libsepol epoxy
-    at-spi2-core libXtst libthai libdatrie
+    at-spi2-core libXtst libthai libdatrie libsysprof-capture libpsl brotli
   ];
 
   cmakeFlags = [

pkgs/applications/networking/irc/weechat/scripts/wee-slack/0001-hardcode-json-file-path.patch

@@ -1,35 +0,0 @@
-From 5dd2593369645b11a9dc03e1930617d2f5dbd039 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
-Date: Wed, 11 Nov 2020 11:48:49 +0100
-Subject: [PATCH] hardcode json file path
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
----
- wee_slack.py | 8 +-------
- 1 file changed, 1 insertion(+), 7 deletions(-)
-
-diff --git a/wee_slack.py b/wee_slack.py
-index a3d779c..5942289 100644
---- a/wee_slack.py
-+++ b/wee_slack.py
-@@ -5136,13 +5136,7 @@ def create_slack_debug_buffer():
- 
- def load_emoji():
-     try:
--        weechat_dir = w.info_get('weechat_dir', '')
--        weechat_sharedir = w.info_get('weechat_sharedir', '')
--        local_weemoji, global_weemoji = ('{}/weemoji.json'.format(path)
--                for path in (weechat_dir, weechat_sharedir))
--        path = (global_weemoji if os.path.exists(global_weemoji) and
--                not os.path.exists(local_weemoji) else local_weemoji)
--        with open(path, 'r') as ef:
-+        with open('@out@/share/wee-slack/weemoji.json', 'r') as ef:
-             emojis = json.loads(ef.read())
-             if 'emoji' in emojis:
-                 print_error('The weemoji.json file is in an old format. Please update it.')
--- 
-2.29.0
-

pkgs/applications/networking/irc/weechat/scripts/wee-slack/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "wee-slack";
-  version = "2.7.0";
+  version = "2.8.0";
 
   src = fetchFromGitHub {
     repo = "wee-slack";
     owner = "wee-slack";
     rev = "v${version}";
-    sha256 = "sha256-6Z/H15bKe0PKpNe9PCgc5mLOii3CILCAVon7EgzIkx8=";
+    sha256 = "0xfklr0gsc9jgxfyrrb2j756lclz9g8imcb0pk0xgyj8mhsw23zk";
   };
 
   patches = [
@@ -16,10 +16,13 @@ stdenv.mkDerivation rec {
       src = ./libpath.patch;
       env = "${buildEnv {
         name = "wee-slack-env";
-        paths = with python3Packages; [ websocket_client six ];
+        paths = with python3Packages; [
+          websocket_client
+          six
+        ];
       }}/${python3Packages.python.sitePackages}";
     })
-    ./0001-hardcode-json-file-path.patch
+    ./load_weemoji_path.patch
   ];
 
   postPatch = ''

pkgs/applications/networking/irc/weechat/scripts/wee-slack/libpath.patch

@@ -1,13 +1,13 @@
 diff --git a/wee_slack.py b/wee_slack.py
-index dbe6446..d1b7546 100644
+index e4716b4..f673b7c 100644
 --- a/wee_slack.py
 +++ b/wee_slack.py
-@@ -25,6 +25,8 @@ import random
+@@ -31,6 +31,8 @@ import string
- import socket
+ # See https://github.com/numpy/numpy/issues/11925
- import string
+ sys.modules["numpy"] = None
  
 +sys.path.append('@env@')
 +
- from websocket import ABNF, create_connection, WebSocketConnectionClosedException
+ from websocket import (  # noqa: E402
- 
+     ABNF,
- try:
+     create_connection,

pkgs/applications/networking/irc/weechat/scripts/wee-slack/load_weemoji_path.patch

@@ -0,0 +1,25 @@
+diff --git a/wee_slack.py b/wee_slack.py
+index e4716b4..ffd122d 100644
+--- a/wee_slack.py
++++ b/wee_slack.py
+@@ -6092,19 +6092,7 @@ def create_slack_debug_buffer():
+ 
+ def load_emoji():
+     try:
+-        weechat_dir = w.info_get("weechat_data_dir", "") or w.info_get(
+-            "weechat_dir", ""
+-        )
+-        weechat_sharedir = w.info_get("weechat_sharedir", "")
+-        local_weemoji, global_weemoji = (
+-            "{}/weemoji.json".format(path) for path in (weechat_dir, weechat_sharedir)
+-        )
+-        path = (
+-            global_weemoji
+-            if os.path.exists(global_weemoji) and not os.path.exists(local_weemoji)
+-            else local_weemoji
+-        )
+-        with open(path, "r") as ef:
++        with open("@out@/share/wee-slack/weemoji.json", "r") as ef:
+             emojis = json.loads(ef.read())
+             if "emoji" in emojis:
+                 print_error(

pkgs/applications/networking/mailreaders/mblaze/default.nix

@@ -1,10 +1,12 @@
-{ stdenv, lib, fetchFromGitHub, installShellFiles, libiconv, ruby ? null }:
+{ coreutils, fetchFromGitHub, fetchpatch, file, gawk, gnugrep, gnused
+, installShellFiles, less, lib, libiconv, makeWrapper, nano, stdenv, ruby
+}:
 
 stdenv.mkDerivation rec {
   pname = "mblaze";
   version = "1.1";
 
-  nativeBuildInputs = [ installShellFiles ];
+  nativeBuildInputs = [ installShellFiles makeWrapper ];
   buildInputs = [ ruby ] ++ lib.optionals stdenv.isDarwin [ libiconv ];
 
   src = fetchFromGitHub {
@@ -22,6 +24,24 @@ stdenv.mkDerivation rec {
     installShellCompletion contrib/_mblaze
   '' + lib.optionalString (ruby != null) ''
     install -Dt $out/bin contrib/msuck contrib/mblow
+
+    # The following wrappings are used to preserve the executable
+    # names (the value of $0 in a script). The script mcom is
+    # designed to be run directly or via symlinks such as mrep. Using
+    # symlinks changes the value of $0 in the script, and makes it
+    # behave differently. When using the wrapProgram tool, the resulting
+    # wrapper breaks this behaviour. The following wrappers preserve it.
+
+    mkdir -p $out/wrapped
+    for x in mcom mbnc mfwd mrep; do
+      mv $out/bin/$x $out/wrapped
+      makeWrapper $out/wrapped/$x $out/bin/$x \
+        --argv0 $out/bin/$x \
+        --prefix PATH : $out/bin \
+        --prefix PATH : ${lib.makeBinPath [
+          coreutils file gawk gnugrep gnused
+        ]}
+    done
   '';
 
   meta = with lib; {

pkgs/applications/networking/mailreaders/neomutt/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, gettext, makeWrapper, tcl, which
+{ lib, stdenv, fetchFromGitHub, gettext, makeWrapper, tcl, which, fetchpatch
 , ncurses, perl , cyrus_sasl, gss, gpgme, libkrb5, libidn, libxml2, notmuch, openssl
 , lmdb, libxslt, docbook_xsl, docbook_xml_dtd_42, w3m, mailcap, sqlite, zlib
 }:
@@ -14,6 +14,14 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-ADg/+gmndOiuQHsncOzS5K4chthXeUFz6RRJsrZNeZY=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-32055.patch";
+      url = "https://github.com/neomutt/neomutt/commit/fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc.patch";
+      sha256 = "0bb7gisjynq3w7hhl6vxa469h609bcz6fkdi8vf740pqrwhk68yn";
+    })
+  ];
+
   buildInputs = [
     cyrus_sasl gss gpgme libkrb5 libidn ncurses
     notmuch openssl perl lmdb

pkgs/applications/science/math/sage/sagedoc.nix

@@ -76,7 +76,7 @@ stdenv.mkDerivation rec {
     mv html/en/_static{,.tmp}
     for _dir in `find -name _static` ; do
           rm -r $_dir
-          ln -s html/en/_static $_dir
+          ln -rs html/en/_static $_dir
     done
     mv html/en/_static{.tmp,}
   '';

pkgs/applications/science/physics/xfitter/default.nix

@@ -16,9 +16,6 @@ stdenv.mkDerivation rec {
     ./undefined_behavior.patch
   ];
 
-  # patch needs to updated due to version bump
-  #CXXFLAGS = "-Werror=return-type";
-
   preConfigure =
   # Fix F77LD to workaround for a following build error:
   #
@@ -48,8 +45,6 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardeningDisable = [ "format" ];
-
   NIX_CFLAGS_COMPILE = lib.optional (stdenv.hostPlatform.libc == "glibc") "-I${libtirpc.dev}/include/tirpc";
   NIX_LDFLAGS = lib.optional (stdenv.hostPlatform.libc == "glibc") "-ltirpc";
 

pkgs/applications/version-management/gitlab/data.json

@@ -1,13 +1,13 @@
 {
-  "version": "13.12.0",
+  "version": "13.12.2",
-  "repo_hash": "060bmfvpqh6zdrwdh4lx4xr1nbg0f7hcp8zh6k9qplv48szhj8m9",
+  "repo_hash": "1wzbjw21pan5cfiz1jd03c3w9sgyvmn35f6dm2sr2k54acsw034p",
   "owner": "gitlab-org",
   "repo": "gitlab",
-  "rev": "v13.12.0-ee",
+  "rev": "v13.12.2-ee",
   "passthru": {
-    "GITALY_SERVER_VERSION": "13.12.0",
+    "GITALY_SERVER_VERSION": "13.12.2",
     "GITLAB_PAGES_VERSION": "1.39.0",
     "GITLAB_SHELL_VERSION": "13.18.0",
-    "GITLAB_WORKHORSE_VERSION": "13.12.0"
+    "GITLAB_WORKHORSE_VERSION": "13.12.2"
   }
 }

pkgs/applications/version-management/gitlab/gitaly/default.nix

@@ -21,14 +21,14 @@ let
       };
   };
 in buildGoModule rec {
-  version = "13.12.0";
+  version = "13.12.2";
   pname = "gitaly";
 
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitaly";
     rev = "v${version}";
-    sha256 = "sha256-MGK0WjAeqApf2xUsbF1mtyzYMhJHC5LFtj8LSb0NQKI=";
+    sha256 = "sha256-jZg/OlecYlGjDxlxsayAuqzptil1OPtyPjOe1WYT0HY=";
   };
 
   vendorSha256 = "sha256-drS0L0olEFHYJVC0VYwEZeNYa8fjwrfxlhrEQa4pqzY=";

pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix

@@ -5,7 +5,7 @@ in
 buildGoModule rec {
   pname = "gitlab-workhorse";
 
-  version = "13.12.0";
+  version = "13.12.2";
 
   src = fetchFromGitLab {
     owner = data.owner;

pkgs/applications/version-management/gitlab/rubyEnv/Gemfile.lock

@@ -139,7 +139,7 @@ GEM
       coderay (>= 1.0.0)
       erubi (>= 1.0.0)
       rack (>= 0.9.0)
-    bindata (2.4.8)
+    bindata (2.4.10)
     binding_ninja (0.2.3)
     bootsnap (1.4.6)
       msgpack (~> 1.0)

pkgs/applications/version-management/gitlab/rubyEnv/gemset.nix

@@ -557,10 +557,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1bmlqjb5h1ry6wm2d903d6yxibpqzzxwqczvlicsqv0vilaca5ic";
+      sha256 = "06lqi4svq5qls9f7nnvd2zmjdqmi2sf82sq78ci5d78fq0z5x2vr";
       type = "gem";
     };
-    version = "2.4.8";
+    version = "2.4.10";
   };
   binding_ninja = {
     groups = ["default" "development" "test"];

pkgs/applications/virtualization/arion/arion-compose.nix

@@ -0,0 +1,27 @@
+{ mkDerivation, aeson, aeson-pretty, async, base, bytestring
+, directory, hspec, lens, lens-aeson, lib, optparse-applicative
+, process, protolude, QuickCheck, temporary, text, unix
+}:
+mkDerivation {
+  pname = "arion-compose";
+  version = "0.1.3.0";
+  sha256 = "9e18448f8489303f0d9fee020ad1ceb896f4e71eedb537c0c0ef0f1f3ade80df";
+  isLibrary = true;
+  isExecutable = true;
+  enableSeparateDataOutput = true;
+  libraryHaskellDepends = [
+    aeson aeson-pretty async base bytestring directory lens lens-aeson
+    process protolude temporary text unix
+  ];
+  executableHaskellDepends = [
+    aeson aeson-pretty async base bytestring directory lens lens-aeson
+    optparse-applicative process protolude temporary text unix
+  ];
+  testHaskellDepends = [
+    aeson aeson-pretty async base bytestring directory hspec lens
+    lens-aeson process protolude QuickCheck temporary text unix
+  ];
+  homepage = "https://github.com/hercules-ci/arion#readme";
+  description = "Run docker-compose with help from Nix/NixOS";
+  license = lib.licenses.asl20;
+}

pkgs/applications/virtualization/containerd/default.nix

@@ -16,7 +16,7 @@ buildGoPackage rec {
     owner = "containerd";
     repo = "containerd";
     rev = "v${version}";
-    sha256 = "sha256-1u+H/gJaQhltf/pq7uaAPEUlQ5R6ZByall2neNkon8s=";
+    sha256 = "sha256-jVyg+fyMuDnV/TM0Z2t+Cr17a6XBv11aWijhsqMnA5s=";
   };
 
   goPackagePath = "github.com/containerd/containerd";

pkgs/applications/virtualization/docker/default.nix

@@ -17,6 +17,7 @@ rec {
       , btrfs-progs, iptables, e2fsprogs, xz, util-linux, xfsprogs, git
       , procps, libseccomp
       , nixosTests
+      , clientOnly ? !stdenv.isLinux
     }:
   let
     docker-runc = runc.overrideAttrs (oldAttrs: {
@@ -116,7 +117,7 @@ rec {
         ++ optional (libseccomp != null) "seccomp";
     });
   in
-    buildGoPackage ((optionalAttrs (stdenv.isLinux) {
+    buildGoPackage ((optionalAttrs (!clientOnly) {
 
     inherit docker-runc docker-containerd docker-proxy docker-tini moby;
 
@@ -137,7 +138,7 @@ rec {
     nativeBuildInputs = [
       makeWrapper pkg-config go-md2man go libtool installShellFiles
     ];
-    buildInputs = optionals (stdenv.isLinux) [
+    buildInputs = optionals (!clientOnly) [
       sqlite lvm2 btrfs-progs systemd libseccomp
     ] ++ optionals (buildxSupport) [ docker-buildx ];
 
@@ -177,7 +178,7 @@ rec {
 
       makeWrapper $out/libexec/docker/docker $out/bin/docker \
         --prefix PATH : "$out/libexec/docker:$extraPath"
-    '' + optionalString (stdenv.isLinux) ''
+    '' + optionalString (!clientOnly) ''
       # symlink docker daemon to docker cli derivation
       ln -s ${moby}/bin/dockerd $out/bin/dockerd
 
@@ -204,7 +205,7 @@ rec {
       installManPage man/*/*.[1-9]
     '';
 
-    passthru.tests = { inherit (nixosTests) docker; };
+    passthru.tests = lib.optionals (!clientOnly) { inherit (nixosTests) docker; };
 
     meta = {
       homepage = "https://www.docker.com/";

pkgs/applications/virtualization/driver/win-spice/default.nix

@@ -36,15 +36,15 @@ stdenv.mkDerivation  {
 
   buildPhase = ''
     mkdir -p usbdk/x86 usbdk/amd64
-    (cd usbdk/x86; ${p7zip}/bin/7z x ${src_usbdk_x86})
+    (cd usbdk/x86; ${p7zip}/bin/7z x -y ${src_usbdk_x86})
-    (cd usbdk/amd64; ${p7zip}/bin/7z x ${src_usbdk_amd64})
+    (cd usbdk/amd64; ${p7zip}/bin/7z x -y ${src_usbdk_amd64})
 
     mkdir -p vdagent/x86 vdagent/amd64
-    (cd vdagent/x86; ${p7zip}/bin/7z x ${src_vdagent_x86}; mv vdagent_0_7_3_x86/* .; rm -r vdagent_0_7_3_x86)
+    (cd vdagent/x86; ${p7zip}/bin/7z x -y ${src_vdagent_x86}; mv vdagent_0_7_3_x86/* .; rm -r vdagent_0_7_3_x86)
-    (cd vdagent/amd64; ${p7zip}/bin/7z x ${src_vdagent_amd64}; mv vdagent_0_7_3_x64/* .; rm -r vdagent_0_7_3_x64)
+    (cd vdagent/amd64; ${p7zip}/bin/7z x -y ${src_vdagent_amd64}; mv vdagent_0_7_3_x64/* .; rm -r vdagent_0_7_3_x64)
 
     mkdir -p qxlwddm
-    (cd qxlwddm; ${p7zip}/bin/7z x ${src_qxlwddm}; mv Win8 w8.1; cd w8.1; mv x64 amd64)
+    (cd qxlwddm; ${p7zip}/bin/7z x -y ${src_qxlwddm}; mv Win8 w8.1; cd w8.1; mv x64 amd64)
     '';
 
   installPhase =

pkgs/applications/virtualization/podman/default.nix

@@ -69,13 +69,26 @@ buildGoModule rec {
     installShellCompletion --zsh completions/zsh/*
     MANDIR=$man/share/man make install.man-nobuild
   '' + lib.optionalString stdenv.isLinux ''
+    install -Dm644 cni/87-podman-bridge.conflist -t $out/etc/cni/net.d
     install -Dm644 contrib/tmpfile/podman.conf -t $out/lib/tmpfiles.d
     install -Dm644 contrib/systemd/system/podman.{socket,service} -t $out/lib/systemd/system
   '' + ''
     runHook postInstall
   '';
 
-  passthru.tests = { inherit (nixosTests) podman; };
+  postFixup = lib.optionalString stdenv.isLinux ''
+    RPATH=$(patchelf --print-rpath $out/bin/podman)
+    patchelf --set-rpath "${lib.makeLibraryPath [ systemd ]}":$RPATH $out/bin/podman
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) podman;
+    # related modules
+    inherit (nixosTests)
+      podman-tls-ghostunnel
+      podman-dnsname
+      ;
+  };
 
   meta = with lib; {
     homepage = "https://podman.io/";

pkgs/applications/virtualization/podman/wrapper.nix

@@ -12,6 +12,7 @@
 , util-linux # nsenter
 , cni-plugins # not added to path
 , iptables
+, iproute2
 }:
 
 let
@@ -25,6 +26,7 @@ let
     fuse-overlayfs
     util-linux
     iptables
+    iproute2
   ] ++ extraPackages);
 
 in runCommand podman.name {
@@ -48,6 +50,7 @@ in runCommand podman.name {
   ln -s ${podman.man} $man
 
   mkdir -p $out/bin
+  ln -s ${podman-unwrapped}/etc $out/etc
   ln -s ${podman-unwrapped}/lib $out/lib
   ln -s ${podman-unwrapped}/share $out/share
   makeWrapper ${podman-unwrapped}/bin/podman $out/bin/podman \

pkgs/build-support/build-pecl.nix

@@ -33,4 +33,5 @@ stdenv.mkDerivation (args // {
       (dep: "mkdir -p ext; ln -s ${dep.dev}/include ext/${dep.extensionName}")
       internalDeps}
   '';
+  checkPhase = "NO_INTERACTON=yes make test";
 })

pkgs/build-support/docker/default.nix

@@ -37,6 +37,10 @@
 
 let
 
+  inherit (lib)
+    optionals
+    ;
+
   mkDbExtraCommand = contents: let
     contentsList = if builtins.isList contents then contents else [ contents ];
   in ''
@@ -532,7 +536,7 @@ rec {
         passthru.layer = layer;
         passthru.imageTag =
           if tag != null
-            then lib.toLower tag
+            then tag
             else
               lib.head (lib.strings.splitString "-" (baseNameOf result.outPath));
         # Docker can't be made to run darwin binaries
@@ -786,7 +790,11 @@ rec {
     fakeRootCommands ? "",
     # We pick 100 to ensure there is plenty of room for extension. I
     # believe the actual maximum is 128.
-    maxLayers ? 100
+    maxLayers ? 100,
+    # Whether to include store paths in the image. You generally want to leave
+    # this on, but tooling may disable this to insert the store paths more
+    # efficiently via other means, such as bind mounting the host store.
+    includeStorePaths ? true,
   }:
     assert
       (lib.assertMsg (maxLayers > 1)
@@ -834,7 +842,9 @@ rec {
         '';
       };
 
-      closureRoots = [ baseJson ] ++ contentsList;
+      closureRoots = optionals includeStorePaths /* normally true */ (
+        [ baseJson ] ++ contentsList
+      );
       overallClosure = writeText "closure" (lib.concatStringsSep " " closureRoots);
 
       # These derivations are only created as implementation details of docker-tools,

pkgs/build-support/docker/examples.nix

@@ -516,4 +516,29 @@ rec {
     bash
     layeredImageWithFakeRootCommands
   ];
+
+  helloOnRoot = pkgs.dockerTools.streamLayeredImage {
+    name = "hello";
+    tag = "latest";
+    contents = [
+      (pkgs.buildEnv {
+        name = "hello-root";
+        paths = [ pkgs.hello ];
+      })
+    ];
+    config.Cmd = [ "hello" ];
+  };
+
+  helloOnRootNoStore = pkgs.dockerTools.streamLayeredImage {
+    name = "hello";
+    tag = "latest";
+    contents = [
+      (pkgs.buildEnv {
+        name = "hello-root";
+        paths = [ pkgs.hello ];
+      })
+    ];
+    config.Cmd = [ "hello" ];
+    includeStorePaths = false;
+  };
 }

pkgs/build-support/vm/default.nix

@@ -822,45 +822,6 @@ rec {
   /* The set of supported Dpkg-based distributions. */
 
   debDistros = {
-
-    # Interestingly, the SHA-256 hashes provided by Ubuntu in
-    # http://nl.archive.ubuntu.com/ubuntu/dists/{gutsy,hardy}/Release are
-    # wrong, but the SHA-1 and MD5 hashes are correct.  Intrepid is fine.
-
-    ubuntu1204i386 = {
-      name = "ubuntu-12.04-precise-i386";
-      fullName = "Ubuntu 12.04 Precise (i386)";
-      packagesLists =
-        [ (fetchurl {
-            url = "mirror://ubuntu/dists/precise/main/binary-i386/Packages.bz2";
-            sha256 = "18ns9h4qhvjfcip9z55grzi371racxavgqkp6b5kfkdq2wwwax2d";
-          })
-          (fetchurl {
-            url = "mirror://ubuntu/dists/precise/universe/binary-i386/Packages.bz2";
-            sha256 = "085lkzbnzkc74kfdmwdc32sfqyfz8dr0rbiifk8kx9jih3xjw2jk";
-          })
-        ];
-      urlPrefix = "mirror://ubuntu";
-      packages = commonDebPackages ++ [ "diffutils" ];
-    };
-
-    ubuntu1204x86_64 = {
-      name = "ubuntu-12.04-precise-amd64";
-      fullName = "Ubuntu 12.04 Precise (amd64)";
-      packagesLists =
-        [ (fetchurl {
-            url = "mirror://ubuntu/dists/precise/main/binary-amd64/Packages.bz2";
-            sha256 = "1aabpn0hdih6cbabyn87yvhccqj44q9k03mqmjsb920iqlckl3fc";
-          })
-          (fetchurl {
-            url = "mirror://ubuntu/dists/precise/universe/binary-amd64/Packages.bz2";
-            sha256 = "0x4hz5aplximgb7gnpvrhkw8m7a40s80rkm5b8hil0afblwlg4vr";
-          })
-        ];
-      urlPrefix = "mirror://ubuntu";
-      packages = commonDebPackages ++ [ "diffutils" ];
-    };
-
     ubuntu1404i386 = {
       name = "ubuntu-14.04-trusty-i386";
       fullName = "Ubuntu 14.04 Trusty (i386)";
@@ -929,40 +890,6 @@ rec {
       packages = commonDebPackages ++ [ "diffutils" "libc-bin" ];
     };
 
-    ubuntu1710i386 = {
-      name = "ubuntu-17.10-artful-i386";
-      fullName = "Ubuntu 17.10 Artful (i386)";
-      packagesLists =
-        [ (fetchurl {
-            url = "mirror://ubuntu/dists/artful/main/binary-i386/Packages.xz";
-            sha256 = "18yrj4kqdzm39q0527m97h5ing58hkm9yq9iyj636zh2rclym3c8";
-          })
-          (fetchurl {
-            url = "mirror://ubuntu/dists/artful/universe/binary-i386/Packages.xz";
-            sha256 = "1v0njw2w80xfmxi7by76cs8hyxlla5h3gqajlpdw5srjgx2qrm2g";
-          })
-        ];
-      urlPrefix = "mirror://ubuntu";
-      packages = commonDebPackages ++ [ "diffutils" "libc-bin" ];
-    };
-
-    ubuntu1710x86_64 = {
-      name = "ubuntu-17.10-artful-amd64";
-      fullName = "Ubuntu 17.10 Artful (amd64)";
-      packagesLists =
-        [ (fetchurl {
-            url = "mirror://ubuntu/dists/artful/main/binary-amd64/Packages.xz";
-            sha256 = "104g57j1l3vi8wb5f7rgjvjhf82ccs0vwhc59jfc4ynd51z7fqjk";
-          })
-          (fetchurl {
-            url = "mirror://ubuntu/dists/artful/universe/binary-amd64/Packages.xz";
-            sha256 = "1qzs95wfy9inaskfx9cf1l5yd3aaqwzy72zzi9xyvkxi75k5gcn4";
-          })
-        ];
-      urlPrefix = "mirror://ubuntu";
-      packages = commonDebPackages ++ [ "diffutils" "libc-bin" ];
-    };
-
     ubuntu1804i386 = {
       name = "ubuntu-18.04-bionic-i386";
       fullName = "Ubuntu 18.04 Bionic (i386)";
@@ -997,51 +924,83 @@ rec {
       packages = commonDebPackages ++ [ "diffutils" "libc-bin" ];
     };
 
-    debian8i386 = {
+    ubuntu2004i386 = {
-      name = "debian-8.11-jessie-i386";
+      name = "ubuntu-20.04-focal-i386";
-      fullName = "Debian 8.11 Jessie (i386)";
+      fullName = "Ubuntu 20.04 Focal (i386)";
-      packagesList = fetchurl {
+      packagesLists =
-        url = "mirror://debian/dists/jessie/main/binary-i386/Packages.xz";
+        [ (fetchurl {
-        sha256 = "0adblarhx50yga900il6m25ng0csa81i3wid1dxxmydbdmri7v7d";
+            url = "mirror://ubuntu/dists/focal/main/binary-i386/Packages.xz";
-      };
+            sha256 = "sha256-7RAYURoN3RKYQAHpwBS9TIV6vCmpURpphyMJQmV4wLc=";
-      urlPrefix = "mirror://debian";
+          })
-      packages = commonDebianPackages;
+          (fetchurl {
+            url = "mirror://ubuntu/dists/focal/universe/binary-i386/Packages.xz";
+            sha256 = "sha256-oA551xVE80volUPgkMyvzpQ1d+GhuZd4DAe7dXZnULM=";
+          })
+        ];
+      urlPrefix = "mirror://ubuntu";
+      packages = commonDebPackages ++ [ "diffutils" "libc-bin" ];
     };
 
-    debian8x86_64 = {
+    ubuntu2004x86_64 = {
-      name = "debian-8.11-jessie-amd64";
+      name = "ubuntu-20.04-focal-amd64";
-      fullName = "Debian 8.11 Jessie (amd64)";
+      fullName = "Ubuntu 20.04 Focal (amd64)";
-      packagesList = fetchurl {
+      packagesLists =
-        url = "mirror://debian/dists/jessie/main/binary-amd64/Packages.xz";
+        [ (fetchurl {
-        sha256 = "09y1mv4kqllhxpk1ibjsyl5jig5bp0qxw6pp4sn56rglrpygmn5x";
+            url = "mirror://ubuntu/dists/focal/main/binary-amd64/Packages.xz";
-      };
+            sha256 = "sha256-d1eSH/j+7Zw5NKDJk21EG6SiOL7j6myMHfXLzUP8mGE=";
-      urlPrefix = "mirror://debian";
+          })
-      packages = commonDebianPackages;
+          (fetchurl {
+            url = "mirror://ubuntu/dists/focal/universe/binary-amd64/Packages.xz";
+            sha256 = "sha256-RqdG2seJvZU3rKVNsWgLnf9RwkgVMRE1A4IZnX2WudE=";
+          })
+        ];
+      urlPrefix = "mirror://ubuntu";
+      packages = commonDebPackages ++ [ "diffutils" "libc-bin" ];
     };
 
     debian9i386 = {
-      name = "debian-9.8-stretch-i386";
+      name = "debian-9.13-stretch-i386";
-      fullName = "Debian 9.8 Stretch (i386)";
+      fullName = "Debian 9.13 Stretch (i386)";
       packagesList = fetchurl {
-        url = "http://snapshot.debian.org/archive/debian/20200301T030401Z/dists/stretch/main/binary-i386/Packages.xz";
+        url = "https://snapshot.debian.org/archive/debian/20210526T143040Z/dists/stretch/main/binary-i386/Packages.xz";
-        sha256 = "1jglr1d1jys3xddp8f7w9j05db39fah8xy4gfkpqbd1b5d2caslz";
+        sha256 = "sha256-fFRumd20wuVaYxzw0VPkAw5mQo8kIg+eXII15VSz9wA=";
       };
       urlPrefix = "mirror://debian";
       packages = commonDebianPackages;
     };
 
     debian9x86_64 = {
-      name = "debian-9.8-stretch-amd64";
+      name = "debian-9.13-stretch-amd64";
-      fullName = "Debian 9.8 Stretch (amd64)";
+      fullName = "Debian 9.13 Stretch (amd64)";
       packagesList = fetchurl {
-        url = "http://snapshot.debian.org/archive/debian/20190503T090946Z/dists/stretch/main/binary-amd64/Packages.xz";
+        url = "https://snapshot.debian.org/archive/debian/20210526T143040Z/dists/stretch/main/binary-amd64/Packages.xz";
-        sha256 = "01q00nl47p12n7wx0xclx59wf3zlkzrgj3zxpshyvb91xdnw5sh6";
+        sha256 = "sha256-1p4DEVpTGlBE3PtbQ90kYw4QNHkW0F4rna/Xz+ncMhw=";
       };
       urlPrefix = "mirror://debian";
       packages = commonDebianPackages;
     };
 
+    debian10i386 = {
+      name = "debian-10.9-buster-i386";
+      fullName = "Debian 10.9 Buster (i386)";
+      packagesList = fetchurl {
+        url = "https://snapshot.debian.org/archive/debian/20210526T143040Z/dists/buster/main/binary-i386/Packages.xz";
+        sha256 = "sha256-zlkbKV+IGBCyWKD4v4LFM/EUA4TYS9fkLBPuF6MgUDo=";
+      };
+      urlPrefix = "mirror://debian";
+      packages = commonDebianPackages;
+    };
 
+    debian10x86_64 = {
+      name = "debian-10.9-buster-amd64";
+      fullName = "Debian 10.9 Buster (amd64)";
+      packagesList = fetchurl {
+        url = "https://snapshot.debian.org/archive/debian/20210526T143040Z/dists/buster/main/binary-amd64/Packages.xz";
+        sha256 = "sha256-k13toY1b3CX7GBPQ7Jm24OMqCEsgPlGK8M99x57o69o=";
+      };
+      urlPrefix = "mirror://debian";
+      packages = commonDebianPackages;
+    };
   };
 
 
@@ -1168,7 +1127,7 @@ rec {
     "passwd"
   ];
 
-  commonDebianPackages = commonDebPackages ++ [ "sysvinit" "diff" "mktemp" ];
+  commonDebianPackages = commonDebPackages ++ [ "sysvinit" "diff" ];
 
 
   /* A set of functions that build the Linux distributions specified

pkgs/development/beam-modules/default.nix

@@ -73,7 +73,6 @@ let
       # https://hexdocs.pm/elixir/compatibility-and-deprecations.html
 
       lfe = lfe_1_3;
-      lfe_1_2 = lib'.callLFE ../interpreters/lfe/1.2.nix { inherit erlang buildRebar3 buildHex; };
       lfe_1_3 = lib'.callLFE ../interpreters/lfe/1.3.nix { inherit erlang buildRebar3 buildHex; };
 
       # Non hex packages. Examples how to build Rebar/Mix packages with and
@@ -81,9 +80,6 @@ let
       hex = callPackage ./hex { };
       webdriver = callPackage ./webdriver { };
       relxExe = callPackage ../tools/erlang/relx-exe { };
-
-      # An example of Erlang/C++ package.
-      cuter = callPackage ../tools/erlang/cuter { };
     };
 in
 makeExtensible packages

pkgs/development/compilers/halide/default.nix

@@ -41,7 +41,17 @@ llvmPackages.stdenv.mkDerivation rec {
   # Note: only openblas and not atlas part of this Nix expression
   # see pkgs/development/libraries/science/math/liblapack/3.5.0.nix
   # to get a hint howto setup atlas instead of openblas
-  buildInputs = [ llvmPackages.llvm libpng libjpeg mesa eigen openblas ];
+  buildInputs = [
+    llvmPackages.llvm
+    llvmPackages.lld
+    llvmPackages.openmp
+    llvmPackages.libclang
+    libpng
+    libjpeg
+    mesa
+    eigen
+    openblas
+  ];
 
   nativeBuildInputs = [ cmake ];
 

pkgs/development/haskell-modules/cabal2nix-unstable.nix

@@ -8,10 +8,10 @@
 }:
 mkDerivation {
   pname = "cabal2nix";
-  version = "unstable-2021-05-06";
+  version = "unstable-2021-05-28";
   src = fetchzip {
-    url = "https://github.com/NixOS/cabal2nix/archive/b598bc4682b0827554b5780acdd6f948d320283b.tar.gz";
+    url = "https://github.com/NixOS/cabal2nix/archive/5fb325e094af91328e02cc2ecfd211feaeb135a7.tar.gz";
-    sha256 = "04afm56cyhj2l41cvq4z11k92jjchr21a8vg9pjaz438pma7jgw1";
+    sha256 = "1zbd336s99rgk24yjqlp012d0f66s5nf190sjmsl7mfhqx9j2y4l";
   };
   isLibrary = true;
   isExecutable = true;

pkgs/development/haskell-modules/configuration-common.nix

@@ -1156,6 +1156,23 @@ self: super: {
   # Therefore we jailbreak it.
   hakyll-contrib-hyphenation = doJailbreak super.hakyll-contrib-hyphenation;
 
+  # Jailbreak due to bounds on multiple dependencies,
+  # bound on pandoc needs to be patched since it is conditional
+  hakyll = doJailbreak (overrideCabal super.hakyll (drv: {
+    patches = [
+      # Remove when Hakyll > 4.14.0.0
+      (pkgs.fetchpatch {
+        url = "https://github.com/jaspervdj/hakyll/commit/0dc6127d81ff688e27c36ce469230320eee60246.patch";
+        sha256 = "sha256-YyRz3bAmIBODTEeS5kGl2J2x31SjiPoLzUZUlo3nHvQ=";
+      })
+      # Remove when Hakyll > 4.14.0.0
+      (pkgs.fetchpatch {
+        url = "https://github.com/jaspervdj/hakyll/commit/af9e29b5456c105dc948bc46c93e989a650b5ed1.patch";
+        sha256 = "sha256-ghc0V5L9OybNHWKmM0vhjRBN2rIvDlp+ClcK/aQst44=";
+      })
+    ];
+  }));
+
   # 2020-06-22: NOTE: > 0.4.0 => rm Jailbreak: https://github.com/serokell/nixfmt/issues/71
   nixfmt = doJailbreak super.nixfmt;
 
@@ -1207,14 +1224,10 @@ self: super: {
   hasql-notifications = dontCheck super.hasql-notifications;
   hasql-pool = dontCheck super.hasql-pool;
 
-  # This bumps optparse-applicative to <0.16 in the cabal file, as otherwise
+  # We jailbreak webify, as optparse-applicative evolved past the version bound
-  # the version bounds are not satisfied.  This can be removed if the PR at
+  # and the corresponding (and outdated) PR was not merged for a year.
-  # https://github.com/ananthakumaran/webify/pull/27 is merged and a new
+  # https://github.com/ananthakumaran/webify/pull/27
-  # release of webify is published.
+  webify = doJailbreak super.webify;
-  webify = appendPatch super.webify (pkgs.fetchpatch {
-    url = "https://github.com/ananthakumaran/webify/pull/27/commits/6d653e7bdc1ffda75ead46851b5db45e87cb2aa0.patch";
-    sha256 = "0xbfhzhzg94b4r5qy5dg1c40liswwpqarrc2chcwgfbfnrmwkfc2";
-  });
 
   # hasn‘t bumped upper bounds
   # upstream: https://github.com/obsidiansystems/which/pull/6

pkgs/development/haskell-modules/configuration-hackage2nix/broken.yaml

@@ -1675,7 +1675,6 @@ broken-packages:
   - grasp
   - gray-code
   - greencard
-  - greenclip
   - greg-client
   - gremlin-haskell
   - Grempa
@@ -1745,7 +1744,6 @@ broken-packages:
   - hakismet
   - hakka
   - hako
-  - hakyll
   - hakyll-shortcode
   - HaLeX
   - halfs
@@ -5026,7 +5024,6 @@ broken-packages:
   - web-encodings
   - WeberLogic
   - webfinger-client
-  - webify
   - webkit-javascriptcore
   - webmention
   - web-output

pkgs/development/haskell-modules/hackage-packages.nix

@@ -41557,7 +41557,7 @@ self: {
        license = lib.licenses.bsd3;
        hydraPlatforms = lib.platforms.none;
        broken = true;
-     }) {wlc = null;};
+     }) {inherit (pkgs) wlc;};
 
   "bindings-yices" = callPackage
     ({ mkDerivation, base, gmp, yices }:
@@ -110752,9 +110752,9 @@ self: {
 
   "greenclip" = callPackage
     ({ mkDerivation, base, binary, bytestring, directory, exceptions
-     , hashable, libXau, microlens, microlens-mtl, protolude, text
+     , hashable, libXau, libXScrnSaver, microlens, microlens-mtl
-     , tomland, unix, vector, wordexp, X11, xcb, xdmcp, xlibsWrapper
+     , protolude, text, tomland, unix, vector, wordexp, X11, xcb, xdmcp
-     , xscrnsaver
+     , xlibsWrapper
      }:
      mkDerivation {
        pname = "greenclip";
@@ -110767,14 +110767,12 @@ self: {
          microlens-mtl protolude text tomland unix vector wordexp X11
        ];
        executablePkgconfigDepends = [
-         libXau xcb xdmcp xlibsWrapper xscrnsaver
+         libXau libXScrnSaver xcb xdmcp xlibsWrapper
        ];
        description = "Simple clipboard manager to be integrated with rofi";
        license = lib.licenses.bsd3;
-       hydraPlatforms = lib.platforms.none;
+     }) {inherit (pkgs.xorg) libXScrnSaver; inherit (pkgs.xorg) libXau; 
-       broken = true;
+         xcb = null; xdmcp = null; inherit (pkgs) xlibsWrapper;};
-     }) {inherit (pkgs.xorg) libXau; xcb = null; xdmcp = null; 
-         inherit (pkgs) xlibsWrapper; xscrnsaver = null;};
 
   "greg-client" = callPackage
     ({ mkDerivation, base, binary, bytestring, clock, hostname, network
@@ -114775,8 +114773,6 @@ self: {
        testToolDepends = [ utillinux ];
        description = "A static website compiler library";
        license = lib.licenses.bsd3;
-       hydraPlatforms = lib.platforms.none;
-       broken = true;
      }) {inherit (pkgs) utillinux;};
 
   "hakyll-R" = callPackage
@@ -278699,8 +278695,6 @@ self: {
        ];
        description = "webfont generator";
        license = lib.licenses.mit;
-       hydraPlatforms = lib.platforms.none;
-       broken = true;
      }) {};
 
   "webkit" = callPackage
@@ -280226,7 +280220,7 @@ self: {
        description = "Haskell bindings for the wlc library";
        license = lib.licenses.isc;
        hydraPlatforms = lib.platforms.none;
-     }) {wlc = null;};
+     }) {inherit (pkgs) wlc;};
 
   "wobsurv" = callPackage
     ({ mkDerivation, aeson, attoparsec, base-prelude, bytestring

pkgs/development/haskell-modules/non-hackage-packages.nix

@@ -36,4 +36,16 @@ self: super: {
   # Unofficial fork until PRs are merged https://github.com/pcapriotti/optparse-applicative/pulls/roberth
   # cabal2nix --maintainer roberth https://github.com/hercules-ci/optparse-applicative.git > pkgs/development/misc/haskell/hercules-ci-optparse-applicative.nix
   hercules-ci-optparse-applicative = self.callPackage ../misc/haskell/hercules-ci-optparse-applicative.nix {};
+
+  #
+  # Backports
+  #
+
+  # This file overrides packages in `hackage-packages.nix`.
+
+  # Backport arion, to support Podman instead of Docker, for those who need NixOS-based containers.
+  # Generated with:
+  # nix-shell -I nixpkgs=$PWD -p cabal-install -p cabal2nix --run 'cabal update; cabal2nix cabal://arion-compose > pkgs/applications/virtualization/arion/arion-compose.nix'
+  arion-compose = self.callPackage ../../applications/virtualization/arion/arion-compose.nix {};
+
 }

pkgs/development/interpreters/erlang/R18.nix

@@ -1,34 +0,0 @@
-{ mkDerivation, fetchpatch }:
-
-let
-  rmAndPwdPatch = fetchpatch {
-     url = "https://github.com/erlang/otp/commit/98b8650d22e94a5ff839170833f691294f6276d0.patch";
-     sha256 = "0zjs7as83prgq4d5gaw2cmnajnsprdk8cjl5kklknx0pc2b3hfg5";
-  };
-
-  envAndCpPatch = fetchpatch {
-     url = "https://github.com/erlang/otp/commit/9f9841eb7327c9fe73e84e197fd2965a97b639cf.patch";
-     sha256 = "00fx5wc88ki3z71z5q4xzi9h3whhjw1zblpn09w995ygn07m9qhm";
-  };
-
-  makeOrderingPatch = fetchpatch {
-     url = "https://github.com/erlang/otp/commit/2f1a37f1011ff9d129bc35a6efa0ab937a2aa0e9.patch";
-     sha256 = "0xfa6hzxh9d7qllkyidcgh57xrrx11w65y7s1hyg52alm06l6b9n";
-  };
-
-  makeParallelInstallPatch = fetchpatch {
-     url ="https://github.com/erlang/otp/commit/de8fe86f67591dd992bae33f7451523dab36e5bd.patch";
-     sha256 = "1cj9fjhdng6yllajjm3gkk04ag9bwyb3n70hrb5nk6c292v8a45c";
-  };
-
-in mkDerivation {
-  version = "18.3.4.11";
-  sha256 = "190xbv77v5x2g8xkzdg9bpwa1ylkc18d03ag2a0frcwcv76x53k1";
-
-  patches = [
-    rmAndPwdPatch
-    envAndCpPatch
-    makeOrderingPatch
-    makeParallelInstallPatch
-  ];
-}

pkgs/development/interpreters/erlang/R19.nix

@@ -1,19 +0,0 @@
-{ mkDerivation, fetchpatch }:
-
-mkDerivation {
-  version = "19.3.6.13";
-  sha256 = "1zbg54p7pdr8bjyrxvi7vs41vgamqa8lsynnm6ac6845q0xwpwid";
-
-  patches = [
-    # macOS 10.13 crypto fix from OTP-20.1.2
-    (fetchpatch {
-      name = "darwin-crypto.patch";
-      url = "https://github.com/erlang/otp/commit/882c90f72ba4e298aa5a7796661c28053c540a96.patch";
-      sha256 = "1gggzpm8ssamz6975z7px0g8qq5i4jqw81j846ikg49c5cxvi0hi";
-    })
-  ];
-
-  prePatch = ''
-    substituteInPlace configure.in --replace '`sw_vers -productVersion`' "''${MACOSX_DEPLOYMENT_TARGET:-10.12}"
-  '';
-}

pkgs/development/interpreters/erlang/R20.nix

@@ -1,10 +0,0 @@
-{ mkDerivation }:
-
-mkDerivation {
-  version = "20.3.8.26";
-  sha256 = "062405s59hkdkmw2dryq0qc1k03jsncj7yqisgj35x9sqpzm4w7a";
-
-  prePatch = ''
-    substituteInPlace configure.in --replace '`sw_vers -productVersion`' "''${MACOSX_DEPLOYMENT_TARGET:-10.12}"
-  '';
-}

pkgs/development/interpreters/lua-5/default.nix

@@ -3,8 +3,8 @@
 
 rec {
   lua5_4 = callPackage ./interpreter.nix {
-    sourceVersion = { major = "5"; minor = "4"; patch = "2"; };
+    sourceVersion = { major = "5"; minor = "4"; patch = "3"; };
-    hash = "0ksj5zpj74n0jkamy3di1p6l10v4gjnd2zjnb453qc6px6bhsmqi";
+    hash = "1yxvjvnbg4nyrdv10bq42gz6dr66pyan28lgzfygqfwy2rv24qgq";
 
     patches = lib.optional stdenv.isDarwin ./5.4.darwin.patch;
   };

pkgs/development/libraries/arrow-cpp/default.nix

@@ -22,12 +22,12 @@ let
 
 in stdenv.mkDerivation rec {
   pname = "arrow-cpp";
-  version = "4.0.0";
+  version = "4.0.1";
 
   src = fetchurl {
     url =
       "mirror://apache/arrow/arrow-${version}/apache-arrow-${version}.tar.gz";
-    sha256 = "1bj9jr0pgq9f2nyzqiyj3cl0hcx3c83z2ym6rpdkp59ff2zx0caa";
+    sha256 = "0vl926i6jvsvj5vigdgqzp9v1i1h5zzj1abqr6qwc9drfsibzk3m";
   };
   sourceRoot = "apache-arrow-${version}/cpp";
 
@@ -146,11 +146,11 @@ in stdenv.mkDerivation rec {
       --exclude-regex '^(${builtins.concatStringsSep "|" excludedTests})$'
   '';
 
-  meta = {
+  meta = with lib; {
     description = "A  cross-language development platform for in-memory data";
     homepage = "https://arrow.apache.org/";
-    license = lib.licenses.asl20;
+    license = licenses.asl20;
-    platforms = lib.platforms.unix;
+    platforms = platforms.unix;
-    maintainers = with lib.maintainers; [ tobim veprbl ];
+    maintainers = with maintainers; [ tobim veprbl ];
   };
 }

pkgs/development/libraries/lasso/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, autoconf, automake, autoreconfHook, fetchurl, glib, gobject-introspection, gtk-doc, libtool, libxml2, libxslt, openssl, pkg-config, python27Packages, xmlsec, zlib }:
+{ lib, stdenv, autoconf, automake, autoreconfHook, fetchurl, fetchpatch, glib, gobject-introspection, gtk-doc, libtool, libxml2, libxslt, openssl, pkg-config, python27Packages, xmlsec, zlib }:
 
 stdenv.mkDerivation rec {
 
@@ -11,6 +11,14 @@ stdenv.mkDerivation rec {
 
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-28091.patch";
+      url = "https://git.entrouvert.org/lasso.git/patch/?id=ea7e5efe9741e1b1787a58af16cb15b40c23be5a";
+      sha256 = "0070x01pir30hsb21mp69pf9pxingadl3y4w0afw07a5c57drhn4";
+    })
+  ];
+
   nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ autoconf automake glib gobject-introspection gtk-doc libtool libxml2 libxslt openssl python27Packages.six xmlsec zlib ];
 

pkgs/development/libraries/libccd/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, cmake }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake }:
 
 stdenv.mkDerivation rec {
   pname = "libccd";
@@ -11,6 +11,15 @@ stdenv.mkDerivation rec {
     sha256 = "0sfmn5pd7k5kyhbxnd689xmsa5v843r7sska96dlysqpljd691jc";
   };
 
+  patches = [
+    # Fix pkgconfig file with absolute CMAKE_INSTALL_*DIR
+    # https://github.com/danfis/libccd/pull/76
+    (fetchpatch {
+      url = "https://github.com/danfis/libccd/commit/cd16c4f168ae308e4c77db66ac97a2eaf47e059e.patch";
+      sha256 = "02wj21c185kwf8bn4qi4cnna0ypzqm481xw9rr8jy1i0cb1r9idg";
+    })
+  ];
+
   nativeBuildInputs = [ cmake ];
 
   meta = with lib; {

pkgs/development/libraries/libiio/cmake-fix-libxml2-find-package.patch

@@ -0,0 +1,13 @@
+diff --color -ur a/CMakeLists.txt b/CMakeLists.txt
+--- a/CMakeLists.txt	2021-05-30 13:46:22.256040282 +0200
++++ b/CMakeLists.txt	2021-05-30 14:15:42.530181216 +0200
+@@ -333,7 +333,7 @@
+ # So, try first to find the CMake module provided by libxml2 package, then fallback
+ # on the CMake's FindLibXml2.cmake module (which can lack some definition, especially
+ # in static build case).
+-find_package(LibXml2 QUIET NO_MODULE)
++find_package(LibXml2 QUIET MODULE)
+ if(DEFINED LIBXML2_VERSION_STRING)
+ 	set(LIBXML2_FOUND ON)
+ 	set(LIBXML2_INCLUDE_DIR ${LIBXML2_INCLUDE_DIRS})
+Seulement dans b: good.patch

pkgs/development/libraries/libiio/default.nix

@@ -23,6 +23,10 @@ stdenv.mkDerivation rec {
     sha256 = "0psw67mzysdb8fkh8xpcwicm7z94k8plkcc8ymxyvl6inshq0mc7";
   };
 
+  # Revert after https://github.com/NixOS/nixpkgs/issues/125008 is
+  # fixed properly
+  patches = [ ./cmake-fix-libxml2-find-package.patch ];
+
   nativeBuildInputs = [
     cmake
     flex

pkgs/development/libraries/libraspberrypi/default.nix

@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   patches = [
     (fetchpatch {
       # https://github.com/raspberrypi/userland/pull/670
-      url = "https://github.com/raspberrypi/userland/pull/670/commits/37cb44f314ab1209fe2a0a2449ef78893b1e5f62.patch";
+      url = "https://github.com/raspberrypi/userland/commit/37cb44f314ab1209fe2a0a2449ef78893b1e5f62.patch";
       sha256 = "1fbrbkpc4cc010ji8z4ll63g17n6jl67kdy62m74bhlxn72gg9rw";
     })
   ];

pkgs/development/libraries/libxlsxwriter/default.nix

@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libxlsxwriter";
-  version = "1.0.5";
+  version = "1.0.6";
 
   src = fetchFromGitHub {
     owner = "jmcnamara";
     repo = "libxlsxwriter";
     rev = "RELEASE_${version}";
-    sha256 = "1jjmwg1mk7pvf36q30rng42qphgz6qdjvn96agrym2q0hhwxc99v";
+    sha256 = "03fdcbm0xnkxwv6fir4yy4x9q2p5h08j099w9xh5gc2ni7ygjlyx";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/polkit/default.nix

@@ -34,6 +34,13 @@ stdenv.mkDerivation rec {
       url = "https://gitlab.freedesktop.org/polkit/polkit/commit/5dd4e22efd05d55833c4634b56e473812b5acbf2.patch";
       sha256 = "17lv7xj5ksa27iv4zpm4zwd4iy8zbwjj4ximslfq3sasiz9kxhlp";
     })
+    (fetchpatch {
+      # https://www.openwall.com/lists/oss-security/2021/06/03/1
+      # https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/79
+      name = "CVE-2021-3560.patch";
+      url = "https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81.patch";
+      sha256 = "157ddsizgr290jsb8fpafrc37gc1qw5pdvl351vnn3pzhqs7n6f4";
+    })
   ] ++ lib.optionals stdenv.hostPlatform.isMusl [
     # Make netgroup support optional (musl does not have it)
     # Upstream MR: https://gitlab.freedesktop.org/polkit/polkit/merge_requests/10

pkgs/development/ocaml-modules/tyxml/default.nix

@@ -2,13 +2,13 @@
 
 buildDunePackage rec {
   pname = "tyxml";
-  version = "4.4.0";
+  version = "4.5.0";
 
   useDune2 = true;
 
   src = fetchurl {
     url = "https://github.com/ocsigen/tyxml/releases/download/${version}/tyxml-${version}.tbz";
-    sha256 = "0c150h2f4c4id73ickkdqkir3jya66m6c7f5jxlp4caw9bfr8qsi";
+    sha256 = "0s30f72m457c3gbdmdwbx7ls9zg806nvm83aiz9qkpglbppwr6n6";
   };
 
   propagatedBuildInputs = [ uutf re ];

pkgs/development/python-modules/adblock/default.nix

@@ -8,6 +8,7 @@
 , openssl
 , publicsuffix-list
 , isPy27
+, libiconv
 , CoreFoundation
 , Security
 }:
@@ -37,7 +38,7 @@ buildPythonPackage rec {
     ++ (with rustPlatform; [ cargoSetupHook maturinBuildHook ]);
 
   buildInputs = [ openssl ]
-    ++ lib.optionals stdenv.isDarwin [ CoreFoundation Security ];
+    ++ lib.optionals stdenv.isDarwin [ libiconv CoreFoundation Security ];
 
   PSL_PATH = "${publicsuffix-list}/share/publicsuffix/public_suffix_list.dat";
 
@@ -49,7 +50,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "Python wrapper for Brave's adblocking library, which is written in Rust";
     homepage = "https://github.com/ArniDagur/python-adblock/";
-    maintainers = with maintainers; [ petabyteboy ];
+    maintainers = with maintainers; [ petabyteboy dotlambda ];
     license = with licenses; [ asl20 mit ];
   };
 }

pkgs/development/python-modules/click-option-group/default.nix

@@ -0,0 +1,47 @@
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchFromGitHub
+, click
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "click-option-group";
+  version = "0.5.3";
+  format = "setuptools";
+  disabled = pythonOlder "3.6";
+
+  src = fetchFromGitHub {
+    owner = "click-contrib";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1w0692s8fabncpggpwl2d4dfqjjlmcia271rrb8hcz0r6nvw98ak";
+  };
+
+  propagatedBuildInputs = [
+    click
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "click_option_group"
+  ];
+
+  meta = with lib; {
+    description = "Option groups missing in Click";
+    longDescription = ''
+      Option groups are convenient mechanism for logical structuring
+      CLI, also it allows you to set the specific behavior and set the
+      relationship among grouped options (mutually exclusive options
+      for example). Moreover, argparse stdlib package contains this
+      functionality out of the box.
+    '';
+    homepage = "https://github.com/click-contrib/click-option-group";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ hexa ];
+  };
+}

pkgs/development/python-modules/drf-jwt/default.nix

@@ -3,18 +3,17 @@
 , fetchFromGitHub
 , pyjwt
 , djangorestframework
-, pytestCheckHook
 }:
 
 buildPythonPackage rec {
   pname = "drf-jwt";
-  version = "1.19.0";
+  version = "1.19.1";
 
   src = fetchFromGitHub {
     owner = "Styria-Digital";
     repo = "django-rest-framework-jwt";
     rev = version;
-    sha256 = "012rmm25w5gvkzi4lyyhn47y1n6g68q9gasga2mkv9i6mn8n4kp7";
+    sha256 = "sha256-++8rFXVsA5WMTt+aC4di3Rpa0BAW285/qM087i9uQ0g=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/hdbscan/default.nix

@@ -40,6 +40,8 @@ buildPythonPackage rec {
     "test_mem_vec_diff_clusters"
     "test_all_points_mem_vec_diff_clusters"
     "test_approx_predict_diff_clusters"
+    # another flaky test https://github.com/scikit-learn-contrib/hdbscan/issues/421
+    "test_hdbscan_boruvka_balltree_matches"
   ];
 
   meta = with lib; {

pkgs/development/python-modules/pywemo/default.nix

@@ -47,11 +47,6 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
-  disabledTests = [
-    # https://github.com/NixOS/nixpkgs/issues/124165
-    "test_bridge_getdevicestatus"
-  ];
-
   pythonImportsCheck = [ "pywemo" ];
 
   meta = with lib; {

pkgs/development/tools/analysis/radare2/default.nix

@@ -28,13 +28,13 @@
 
 stdenv.mkDerivation rec {
   pname = "radare2";
-  version = "5.2.1";
+  version = "5.3.0";
 
   src = fetchFromGitHub {
     owner = "radare";
     repo = "radare2";
     rev = version;
-    sha256 = "0n3k190qjhdlj10fjqijx6ismz0g7fk28i83j0480cxdqgmmlbxc";
+    sha256 = "sha256-xndnRVlqTB/NH1ROo7xkftLP7DufsJu4CCA9MCOEeng=";
   };
 
   postInstall = ''

pkgs/development/tools/delve/default.nix

@@ -1,4 +1,4 @@
-{ lib, buildGoPackage, fetchFromGitHub }:
+{ lib, buildGoPackage, fetchFromGitHub, makeWrapper }:
 
 buildGoPackage rec {
   pname = "delve";
@@ -14,6 +14,16 @@ buildGoPackage rec {
     sha256 = "sha256-bTVCasemE8Vyjcs8wZBiiXEsW3UBndjpPQ5bi+4vQkw=";
   };
 
+  subPackages = [ "cmd/dlv" ];
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  postInstall = ''
+    # fortify source breaks build since delve compiles with -O0
+    wrapProgram $out/bin/dlv \
+      --prefix disableHardening " " fortify
+  '';
+
   meta = with lib; {
     description = "debugger for the Go programming language";
     homepage = "https://github.com/derekparker/delve";

pkgs/development/tools/erlang/cuter/default.nix

@@ -1,46 +0,0 @@
-{ lib, stdenv, autoreconfHook, which, writeText, makeWrapper, fetchFromGitHub, erlang
-, z3, python }:
-
-stdenv.mkDerivation rec {
-  pname = "cuter";
-  version = "0.1";
-
-  src = fetchFromGitHub {
-    owner = "aggelgian";
-    repo = "cuter";
-    rev = "v${version}";
-    sha256 = "1ax1pj6ji4w2mg3p0nh2lzmg3n9mgfxk4cf07pll51yrcfpfrnfv";
-  };
-
-  setupHook = writeText "setupHook.sh" ''
-    addToSearchPath ERL_LIBS "$1/lib/erlang/lib/"
-  '';
-
-  nativeBuildInputs = [ autoreconfHook makeWrapper which ];
-  buildInputs = [ python python.pkgs.setuptools z3.python erlang ];
-
-  buildFlags = [ "PWD=$(out)/lib/erlang/lib/cuter-${version}" "cuter_target" ];
-  configurePhase = ''
-    autoconf
-    ./configure --prefix $out
-  '';
-
-  installPhase = ''
-    mkdir -p "$out/lib/erlang/lib/cuter-${version}"
-    mkdir -p "$out/bin"
-    cp -r * "$out/lib/erlang/lib/cuter-${version}"
-    cp cuter "$out/bin/cuter"
-    wrapProgram $out/bin/cuter \
-      --prefix PATH : "${python}/bin" \
-      --suffix PYTHONPATH : "${z3}/${python.sitePackages}" \
-      --suffix ERL_LIBS : "$out/lib/erlang/lib"
-  '';
-
-  meta = {
-    description = "A concolic testing tool for the Erlang functional programming language";
-    license = lib.licenses.gpl3;
-    homepage = "https://github.com/aggelgian/cuter";
-    maintainers = with lib.maintainers; [ ericbmerritt ];
-    platforms = with lib.platforms; unix;
-  };
-}

pkgs/development/tools/ijq/default.nix

@@ -2,15 +2,15 @@
 
 buildGoModule rec {
   pname = "ijq";
-  version = "0.2.3";
+  version = "0.3.4";
 
   src = fetchgit {
     url = "https://git.sr.ht/~gpanders/ijq";
     rev = "v${version}";
-    sha256 = "14n54jh5387jf97zhc7aidn7w60zp5624xbvq4jdbsh96apg3bk1";
+    sha256 = "ZKxEK6SPxEC0S5yXSzITPn0HhpJa4Bcf9X8/N+ZZAeA=";
   };
 
-  vendorSha256 = "0xbni6lk6y3ig7pj2234fv7ra6b8qv0k8m3bvh59wwans8xpihzb";
+  vendorSha256 = "04KlXE2I8ZVDbyo9tBnFskLB6fo5W5/lPzSpo8KGqUU=";
 
   nativeBuildInputs = [ makeWrapper ];
 

pkgs/development/tools/rust/cbindgen/latest.nix

@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, rustPlatform, python3Packages, Security }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "rust-cbindgen";
+  version = "0.19.0";
+
+  src = fetchFromGitHub {
+    owner = "eqrion";
+    repo = "cbindgen";
+    rev = "v${version}";
+    sha256 = "0753dklr5lm1dmk6hy5khh8k3xyr5srfsq11l07685h71j7z0r00";
+  };
+
+  cargoSha256 = "0qyw0iqin7i31kk23ddsmywk7z0xxpd5n4q6dr6mf44y35a8krm8";
+
+  buildInputs = lib.optional stdenv.isDarwin Security;
+
+  checkInputs = [
+    python3Packages.cython
+  ];
+
+  checkFlags = [
+    # Disable tests that require rust unstable features
+    # https://github.com/eqrion/cbindgen/issues/338
+    "--skip test_expand"
+    "--skip test_bitfield"
+    "--skip lib_default_uses_debug_build"
+    "--skip lib_explicit_debug_build"
+    "--skip lib_explicit_release_build"
+  ];
+
+  meta = with lib; {
+    description = "A project for generating C bindings from Rust code";
+    homepage = "https://github.com/eqrion/cbindgen";
+    license = licenses.mpl20;
+    maintainers = with maintainers; [ jtojnar ];
+  };
+}

pkgs/development/tools/stagit/default.nix

@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   pname = "stagit";
-  version = "0.9.5";
+  version = "0.9.6";
 
   src = fetchgit {
     url = "git://git.codemadness.org/stagit";
     rev = version;
-    sha256 = "1wlx5k0v464fr1ifjv04v7ccwb559s54xpsbxdda4whyx1v0fbq4";
+    sha256 = "sha256-0vkdxtKZv7LyEHKGPrB4uOI2lD74+haelEanq2sOjkE=";
   };
 
   makeFlags = [ "PREFIX=$(out)" ];

pkgs/development/web/deno/default.nix

@@ -17,15 +17,15 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "deno";
-  version = "1.10.2";
+  version = "1.10.3";
 
   src = fetchFromGitHub {
     owner = "denoland";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-uePCEYcYahsxcgA+GDcloqqo+dr7Y2N/9nps6Y79D58=";
+    sha256 = "sha256-25FfxGtPZ+KQCmXur6pwrb1l/xjCWgw69CMLPihnhAU=";
   };
-  cargoSha256 = "sha256-6fm1RWuTVWCE6nKgkC/SRQYRXGf9SGv7kAXWNqsdQS8=";
+  cargoSha256 = "sha256-CopfdjafWAhpbrdYSHJjKHKCLw94TSaiSAH4CVFOHi8=";
 
   # Install completions post-install
   nativeBuildInputs = [ installShellFiles ];

pkgs/games/warzone2100/default.nix

@@ -3,7 +3,7 @@
 , fetchurl
 , cmake
 , ninja
-, zip
+, p7zip
 , pkg-config
 , asciidoctor
 , gettext
@@ -68,7 +68,7 @@ stdenv.mkDerivation rec {
     pkg-config
     cmake
     ninja
-    zip
+    p7zip
     asciidoctor
     gettext
     shaderc

pkgs/servers/dns/pdns-recursor/default.nix

@@ -33,6 +33,9 @@ stdenv.mkDerivation rec {
     description = "A recursive DNS server";
     homepage = "https://www.powerdns.com/";
     platforms = platforms.linux;
+    badPlatforms = [
+      "i686-linux"  # a 64-bit time_t is needed
+    ];
     license = licenses.gpl2;
     maintainers = with maintainers; [ rnhmjoj ];
   };

pkgs/servers/matrix-synapse/default.nix

@@ -12,11 +12,11 @@ let
 in
 buildPythonApplication rec {
   pname = "matrix-synapse";
-  version = "1.34.0";
+  version = "1.35.1";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-lXVJfhcH9lKOCHn5f4Lc/OjgEYa5IpauKRhBsFXNWLw=";
+    sha256 = "sha256-MJ3RG60rWbcfQxhj34k99AFg8TsPd3ECEw/x2+xU1js=";
   };
 
   patches = [
@@ -27,12 +27,13 @@ buildPythonApplication rec {
   buildInputs = [ openssl ];
 
   propagatedBuildInputs = [
-    setuptools
+    authlib
     bcrypt
     bleach
     canonicaljson
     daemonize
     frozendict
+    ijson
     jinja2
     jsonschema
     lxml
@@ -44,20 +45,20 @@ buildPythonApplication rec {
     psutil
     psycopg2
     pyasn1
+    pyjwt
     pymacaroons
     pynacl
     pyopenssl
     pysaml2
     pyyaml
     requests
+    setuptools
     signedjson
     sortedcontainers
     treq
     twisted
-    unpaddedbase64
     typing-extensions
-    authlib
+    unpaddedbase64
-    pyjwt
   ] ++ lib.optional enableSystemd systemd
     ++ lib.optional enableRedis hiredis;
 
@@ -66,7 +67,6 @@ buildPythonApplication rec {
   doCheck = !stdenv.isDarwin;
 
   checkPhase = ''
-    ${lib.optionalString (!enableRedis) "rm -r tests/replication # these tests need the optional dependency 'hiredis'"}
     PYTHONPATH=".:$PYTHONPATH" ${python3.interpreter} -m twisted.trial tests
   '';
 

pkgs/servers/matrix-synapse/matrix-appservice-irc/default.nix

@@ -10,6 +10,8 @@ let
   };
 in
 ourNodePackages."${packageName}".override {
+  pname = "matrix-appservice-irc";
+
   nativeBuildInputs = [ makeWrapper nodePackages.node-gyp-build ];
 
   postInstall = ''

pkgs/servers/matrix-synapse/matrix-appservice-slack/default.nix

@@ -13,6 +13,8 @@ let
   };
 in
 nodePackages.package.override {
+  pname = "matrix-appservice-slack";
+
   inherit src;
 
   nativeBuildInputs = [ pkgs.makeWrapper ];

pkgs/servers/matrix-synapse/tools/default.nix

@@ -1,4 +1,6 @@
 { callPackage }:
 {
   rust-synapse-compress-state = callPackage ./rust-synapse-compress-state.nix { };
+
+  synadm = callPackage ./synadm.nix { };
 }

pkgs/servers/matrix-synapse/tools/synadm.nix

@@ -0,0 +1,41 @@
+{ lib
+, python3Packages
+}:
+
+with python3Packages; buildPythonApplication rec {
+  pname = "synadm";
+  version = "0.29";
+  format = "setuptools";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "1vy30nwsns4jnv0s5i9jpyplxpclgwyw0gldpywv4z3fljs0lzik";
+  };
+
+  propagatedBuildInputs = [
+    click
+    click-option-group
+    tabulate
+    pyyaml
+    requests
+  ];
+
+  checkPhase = ''
+    runHook preCheck
+    export HOME=$TMPDIR
+    $out/bin/synadm -h > /dev/null
+    runHook postCheck
+  '';
+
+  meta = with lib; {
+    description = "Command line admin tool for Synapse";
+    longDescription = ''
+      A CLI tool to help admins of Matrix Synapse homeservers
+      conveniently issue commands available via its admin API's
+      (matrix-org/synapse@master/docs/admin_api)
+    '';
+    homepage = "https://github.com/JOJ0/synadm";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ hexa ];
+  };
+}